By Frank Washkuch
Excerpt:
"The skill set required for the modern IT security professional is constantly changing - the moxie of malware authors, phishers and online scam artists ensures that. Employees working to keep networks and data safe increasingly need another trait they can't learn in a certification course or training session, say consultants and analysts. The IT security pro is now expected to be a great communicator, especially when using metrics and other statistics to explain a corporate IT strategy - and its results and shortcomings, to superiors …
"One truth across the board, however, is that companies can’t just throw money at the problem. Effective C-level executives are familiar with their own company’s risk management strategy - including compliance concerns, assets and types of threats it faces from the outside world and within its own cubicles. Companies using repeatable statistics to show improvement in targeted areas - or the rise of new threats - have superior metrics to those reflecting money spent, says Max Caceras, director of product management at Core Security …
"I would say that there is not a general consensus on what type of metrics to show. Some folks will report operational metrics, which don’t necessarily report how security has improved, but just say that this and that were deployed this month," he says. "They don’t really mean anything in terms of security. Some organizations are further down the line, and they understand that measurement is the key thing in terms of reporting metrics."
Source: SC Magazine
