Enterprise security chiefs can gain credibility and visibility within their organisations by delivering initiatives that are based on business-centric metrics, a high-level security conference has been told.
Speaking at Forrester Research's annual Security Forum EMEA in Amsterdam, analyst Khalid Kark, argued that many firms focus too much on gathering data on incidents rather than that which "has been collected over time, aggregated and will give you something more strategic ".
He added that security chiefs need to convert statistical, tactical and largely qualitative operational metrics into business metrics, which are more action-oriented, comprehensive and offer non-IT leaders strategic advice which enables them to take important business decisions.
To do this, firms usually move through various phases of maturity, starting with the collection of mainly technically-focused and reactive metrics, then the more proactive sharing of these metrics with the business, and the development of repeatable processes.
"The goal and the fourth stage is to enable the business to make intelligent decisions – that's a level of maturity which you achieve after a certain time, when you're comfortable with the metrics," explained Khark.