How Security Metrics Can Be Abused

1. Collecting too much data

You can’t just collect security data for the sake of collecting it. You can quickly amass gigabytes, terabytes or more of security metrics and then you face the challenge of parsing and sifting through it all to try and ferret out the one or two valuable takeaways from it all.

2. Gathering useless data

Part of the solution for not gathering too much data is to make sure you’re only collecting data that has some relevant value. Some will argue that all data has value—it’s all in what questions you want to answer and how they’re asked. If the goal is to limit the volume of security metrics data, though, you have to use some discretion about which security metrics matter and which data you want to gather.

3. Lacking the skills and/or tools to effectively analyze data

Collecting the security metrics data is just the beginning. A massive database of log data doesn’t provide any value until or unless you have both the right tools and skills to filter through it and figure out what it means.

4. Failing to act on security metrics analysis

Assuming you’ve addressed the first three items you’ve collected the right amount of the right data and done a thorough analysis of it to gain some insight into your security posture and any issues you might have. If you don’t act on that analysis and do something to improve your security posture in some way, then what was the point? The entire security metrics process is a complete waste of time if you don’t do anything with the results.

5. Checking a compliance box

This point lies somewhere between lacking the skills to effectively analyze the security metrics and lacking the will to address the issues that are uncovered. If your only purpose in collecting and analyzing security data is to create some sort of pretty vanity metrics that look good on a report and let you mark a box on a compliance checklist the security metrics aren’t helping you.