Five Tips for Measuring Progress in Information Security

By   ISBuzz Team
Writer , Information Security Buzz | Sep 25, 2013 10:40 pm PST

In my post on Measuring and Reporting on Vulnerability Risk, I talked about how rankings and categories make for some easy to understand graphs, but they tend to fail at meaningfully measuring progress over time.

It’s tempting to use the standard output of your information security products as the basis for tracking progress, but counting the numbers of highs, mediums and lows simply isn’t an accurate a representation overall progress.

These kinds of operational metrics, such as vulnerability counts,  are attractive as a means of measuring progress, or more importantly for communicating progress, because they’re intuitive; If we focus on patching vulnerabilities, then the vulnerability count should go down.