Two of the most famous quotes from Lord Kelvin are “to measure is to know” and “if you can not measure it, you can not improve it”. With that, in Measures and Metrics in Corporate Security, author George Campbell provides a quick and high-level introduction to the topic of metrics and measurement. Campbell is the former Chief Security Officer at Fidelity Investments, where metrics are used heavily.
Security metrics are a key initiative for many CISO’s. But what they often struggle with is how to find the right information security metrics, and how do they use them for functionally operational measurements that can be used to support the business.
The first part of the book contains the following 3 chapters which encompass the first 70 pages:
Chapter 1: The Basics
Chapter 2: Types of Metrics and Performance Indicators Appropriate to the Security Mission
Chapter 3: Building a Model Appropriate to Your Needs
The next 70 pages contain the following appendixes:
Appendix 1: Examples of Security-Related Measures and Metrics
Appendix 2: Trade Associations and Other Organizations with Security Voluntary Compliance Programs
Appendix 3: Sample High-Level Security Work Breakdown Structure
Appendix 4: Physical Security Cost Estimating Tables
Appendix 5: Risk Measure Maps
The book does not have a companion web site. And it would have been quite beneficial if the templates detailed in the appendixes were available in soft copy.
The book notes that security metrics can be easy to create. But really good security metrics, those that can add value to the organization can be difficult to develop. For those that are looking to create good security metrics, Measures and Metrics in Corporate Security is a good starting point.