Center for Internet Security Announces Industry’s First Consensus-Based Metrics for Information Security


Share on LinkedIn

New Metrics Service Will Help Enterprises Improve Security by
Correlating Implementation of Practices and Processes with Outcomes

HERSHEY, Penn. – Sept. 9, 2008 – The Center for Internet Security (CIS) today announced it will soon release the industry’s first consensus based IT security metrics that are defined through collaboration among a large group of security experts from leading commercial, government and academic organizations. The metrics are user-originated, unambiguous methods for measuring key aspects of the information security status of an enterprise.

“Government and industry spend lots of time and money to improve cyber security, but often the focus is more on compliance with best practices rather than outcomes. Enterprise leaders and information security professionals struggle to make cost-effective security investment decisions largely because they lack specific, consistent, widely accepted outcome metrics for decision support,” said Bert Miuccio, CEO of CIS. “Legislators and executives want to understand the value their expenditures produce, but objectively defining and measuring success is an increasing problem for security professionals. I think these challenges can be most effectively addressed through collaboration and consensus.”

CIS – The Only Source for Consensus Based Information Security Metrics
CIS has convened a group of more than 80 leading security experts from government, business and academia. It is facilitating a process through which they come to agreement about what indicators of enterprise information security status are most important to measure, and define specific ways to accurately measure them.

The group’s initial set of outcome and process metrics are expressed conceptually pending final definition as follows.

? Mean time between security incidents
? Mean time to recover from security incidents
? % of systems configured to approved standards
? % of systems patched to policy
? % of systems with anti-virus
? % of business applications that had a risk assessment
? % of business applications that had a penetration or vulnerability assessment
? % of application code that had a security assessment, threat model analysis, or code review prior to production deployment

“Most, if not all, information security professionals agree that these are important indicators of security status,” Miuccio said. “But if you ask ten people how to measure any one of them you would receive ten different answers. Consistency in the definition of metrics is essential for the data to be useful as feedback for security process and practice improvement. Consistent methods of measurement are prerequisites for understanding and communicating an enterprise’s security status over time. The metrics are also a foundation for enterprises to analyze their outcomes compared to others in their industry verticals. In all aspects of business, including information security management, much can be learned from cross-enterprise benchmarking.”

“In my opinion, metrics are a critical prerequisite for turning IT security into a science, as opposed to black art,” said Elizabeth Nichols, CTO of PlexLogic and a volunteer team leader in the CIS consensus metrics effort. “Metrics, managed correctly, foster the structure, repeatability, and rigor needed to provide decision makers with hard facts and data, as opposed to untestable hypotheses and unsubstantiated conjectures.”

CIS to Launch New Information Security Metrics Service
In addition to the consensus information security metrics, later this year CIS will launch a groundbreaking software-based service that will provide value to enterprises by enabling:

? Mechanisms for correlating security practices with outcomes
? Communication of security performance over time
? Anonymous cross-organization comparison of security status

“The new CIS information security metrics service will provide data that is essential in formulating information security strategy and evaluating its implementation,” Miuccio said. The data service will provide a rational basis for making cost-effective security investments to better ensure the availability, confidentiality and integrity of information for enterprises that depend on the cyber infrastructure.”

“Security metrics is in its infancy and, in my opinion, has been stuck there for too long. With the introduction of this new service, CIS marshaled all the ingrediants for a break through: consensus-making with leaders about what to measure and a capability to deliver valuable measurements,” Nichols said. “I am excited that CIS is stepping up with a concrete path moving forward.”

To learn more about the CIS Consensus Information Security Metrics and its new Security Metrics Service visit:

About CIS
The Center for Internet Security (CIS) is a non-profit organization that helps enterprises reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls, and provides enterprises with resources for measuring information security status and making rational security investment decisions. CIS develops and distributes consensus based benchmarks for secure configuration of operating systems, software applications and network devices. The consensus security configuration benchmarks are downloaded more than one million times a year, and are globally accepted as user-originated, de facto standards. More than 150 leading corporations, government entities, universities and security organizations are CIS members. For more information, visit

News Editor
CustomerThink offers a free news posting service for press releases relevant to our community. To submit your press release to our news editor, send an email to [email protected] with the press release headline and main content in the email subject line and body, respectively. That's it! Approved press releases will appear in our news category within one business day of submission.


Please use comments to add value to the discussion. Maximum one link to an educational blog post or article. We will NOT PUBLISH brief comments like "good post," comments that mainly promote links, or comments with links to companies, products, or services.

Please enter your comment!
Please enter your name here