Security News > 2024 > May > The evolution of security metrics for NIST CSF 2.0

The evolution of security metrics for NIST CSF 2.0
2024-05-28 05:00

The NIST Cybersecurity Framework 2.0 underscored that metrics like these alone are insufficient and probably even improper when used as proxies for security outcomes.

Combining effective use of metrics plus a deeper understanding of how security processes play out is the best way to build more security agility and enable teams to react more quickly and effectively.

Process metrics can span multiple systems and attributes, breaking down silos and providing a more holistic view of security that more closely aligns with CSF 2.0's emphasis on outcomes over old-style metrics that measure a single attribute or factor.

Siloed metrics don't tell the whole story: Narrow metrics may show the number of vulnerabilities patched but don't capture root causes, how those vulnerabilities were prioritized, or if the most critical ones were addressed first.

Siloed metrics are easily gamed: If teams are held accountable purely by metrics, they may focus on hitting targets rather than achieving true security.

CSF 2.0 and its movement toward outcomes and processes over metrics acknowledges that the old reliance on simple metrics and dashboards was insufficient to meet the rapidly evolving threat landscape.


News URL

https://www.helpnetsecurity.com/2024/05/28/cisos-security-metrics-nist-csf-2-0/