Security Process Maturity: Level 5

by Steven McElwee

Security managers are often plagued by the question, “How do I make security measurable?” Since security does not produce a product or have a positive impact on the cash flow of a company, creating meaningful measurements that justify an organizations expenditure on security is challenging. This is where ISM³ provides a great tool for measuring security.

ISM³'s level five is about taking all of the processes of levels one through four and using them to communicate the coverage and effectiveness of security.

ISM³ defines seven types of metrics that work well within this maturity model:

Process Metrics

• Number of times a security process was performed in a period
• Scope of protection as a percentage of assets protected by the process
• Time since the last update of process outputs
• The time since a security process has produced the expected output

Performance Metrics

• Return on Security Investment (ROSI) as the percentage of losses avoided compared to the cost of the process
• Comparison of the process output to a baseline or benchmark
• Ratio of available resources in actual use

Measuring each of the ISM³ processes implies that there is a system that easily captures metrics as part of normal operation. Without a centralized metrics reporting system, ISM³ level five will be unsustainable.

The most important reason for measuring your security processes is to identify how well you are operating and work on continuous improvement. At this level, managing the process of continuous improvement is important. By measuring, automating, improving, and communicating your security metrics, you will create a sustainable, continuously improving security operation.