Read NBlog, the NoticeBored blog
Click banner for site map
Review: Infosec Management Metrics

Click to buy on Amazon

Information Security Management Metrics

A Definitive Guide to Effective
Security Monitoring and Measurement

 

 

Author: Krag Brotby

Pages: 223

ISBN: 978-1-4200-5285-5

Publisher: Auerbach (CRC Press) in 2009

Price: ~US$76 from Amazon
Metrics book review mindmap

This is a summary

For the full version of this review, please read EDPACS (The EDP Audit, Control, and Security Newsletter), Volume 43, Issue 3, page 9.

Introduction

Measuring information security is the greatest remaining challenge for many of us.  This book lays out the foundations on which a rational measurement system can be designed to manage information security in a more objective fashion.

Scope of the book

The author encourages readers to consider a wide variety of measurement approaches and apply them sensibly to their information security management issues.  In addition to conventional information security metrics, the book draws on governance, risk management, financial management and business analysis methods, a more diverse range of approaches than is normally covered in this field.

About the author

Krag Brotby CISM CGEIT is a knowledgeable information security consultant with more than two decades’ information security management experience in big-name companies.  This gives real depth to the content.

The book’s strengths

Systematically managing practically anything requires meaningful metrics, so a look at management and measurement practices beyond the traditional bounds information security management is enlightening.  Introducing measures of organization structure and culture sets this security metrics book apart from most others.  Strategic, tactical and operational metrics are differentiated according to their predictive timescales and perspectives. 

Although the writing style is clear, this is a complex subject covered in depth.  The book is certainly thought-provoking.  Roughly 50 books, papers and websites are cited for further study.

Its weaknesses

The book is rather theoretical or academic in approach.  It won’t suit practitioners simply looking for a short checklist of ‘security things to measure’, but takes considerable effort to comprehend and apply.

Utility of the book

The book is probably of most value to CISOs and ISMs tasked with implementing better security metrics, and to information security management students.

Conclusion

Overall, I enjoyed studying this book and found the effort worthwhile but, being a pragmatist by nature, I was left wanting more in the way of practical guidance ... 

- Postscript -

Krag’s book Information Security Governance neatly complements this one.  In conjunction with Gary Hinson, Krag has written new book on security metrics.
HomeBook reviews > ISM Metrics >

Copyright © 2013  IsecT Ltd.