Information Security Management Metrics
A Definitive Guide to Effective
Author: Krag Brotby
Publisher: Auerbach (CRC Press) in 2009
Price: ~US$76 from Amazon
This is a summary
For the full version of this review, please read EDPACS (The EDP Audit, Control, and Security Newsletter), Volume 43, Issue 3, page 9.
Measuring information security is the greatest remaining challenge for many of us. This book lays out the foundations on which a rational measurement system can be designed to manage information security in a more objective fashion.
The author encourages readers to consider a wide variety of measurement approaches and apply them sensibly to their information security management issues. In addition to conventional information security metrics, the book draws on governance, risk management, financial management and business analysis methods, a more diverse range of approaches than is normally covered in this field.
Krag Brotby CISM CGEIT is a knowledgeable information security consultant with more than two decades’ information security management experience in big-name companies. This gives real depth to the content.
Systematically managing practically anything requires meaningful metrics, so a look at management and measurement practices beyond the traditional bounds information security management is enlightening. Introducing measures of organization structure and culture sets this security metrics book apart from most others. Strategic, tactical and operational metrics are differentiated according to their predictive timescales and perspectives.
Although the writing style is clear, this is a complex subject covered in depth. The book is certainly thought-provoking. Roughly 50 books, papers and websites are cited for further study.
The book is rather theoretical or academic in approach. It won’t suit practitioners simply looking for a short checklist of ‘security things to measure’, but takes considerable effort to comprehend and apply.
The book is probably of most value to CISOs and ISMs tasked with implementing better security metrics, and to information security management students.
Overall, I enjoyed studying this book and found the effort worthwhile but, being a pragmatist by nature, I was left wanting more in the way of practical guidance ...
- Postscript -
|Home > Book reviews > ISM Metrics >||
Copyright © 2013 IsecT Ltd.