Ann All spoke with Pamela Casale, chief marketing officer for Intellitactics, a provider of enterprise security management solutions used by security analysts, security operations and corporate risk officers at Global 3000 companies and government agencies. Its Intellitactics Security Manager integrates event and alert management, incident management and reporting to simplify the complexities of managing diverse security environments.

All: Are companies beginning to make an effort to get more demonstrable value out of their compliance and security spending?
Casale: Unlike other disciplines, ROI is a relatively new concept in security management. As compliance requirements and compliance consequences grew and people realized that a security breach could put their company in the headlines, there was a lot of reactionary spending. People weren't thinking about ROI; they just wanted to be able to tell the auditor that they were spending money on security. Now companies are beginning to really look at what security levels have been and say, "how secure are we?" When we spoke with CFOs, they said that after all of that spending on compliance, they didn't feel any more secure.

Companies are beginning to get a lot more deliberate and less opportunistic with their security spending. Financial services companies, which had to start dealing with security and compliance issues early on and are reaching maturity sooner, are beginning to look at it as a comprehensive effort. Gartner has estimated that companies that are not able to consolidate their efforts to be compliant and secure are going to end up spending 10 times more than other companies.

All: Are metrics becoming more important?
Casale: Because companies have begun recognizing security is a strategic issue and as the discipline is now mature, they realize they have to be able to measure what they are doing. They want to be able to take measures, compare and contrast them, and show trends over time. In a survey conducted for us by Frost & Sullivan, we found that the number-one reason companies are looking at security metrics is to justify spending. It's a good thing not to show up in the headlines — but not for spending. The CFO may say "Everything is OK. Why do we need to spend more money?"

The biggest difference between reports and metrics is that a report just presents information while metrics help you establish the relationships between different dimensions. That's difficult to do in a manual report, because most companies don't have the luxury of a full-time person to take care of it. A common complaint is that by the time you get the metrics, they are already outdated. With an automated metrics program, however, the content dynamically updates itself so the information is relevant when you receive it.

All: Which areas are companies interested in measuring?
Casale: There are some obvious key performance indicators. One of the biggest ones is incidents. In our Frost & Sullivan survey, it was one area that nearly everyone could agree on. As the culmination of all of the security management you are doing, your security infrastructure will generate millions of events. Products like ours help break those down into a smaller number of alerts, and a smaller number of those are escalated into incidents. So companies want to know how many incidents they generate relative to the number of alerts, how much time is spent resolving them from open to closure, and what is the cost of doing so. They also want to know the impact the incident had on the business — how many transactions were unable to be performed during the incident? How many customers were potentially at risk?

Another one is productivity. Of course, I don't know of a management discipline in IT that isn't concerned with that. When security first came to the forefront in the mid-1990s, you had just a handful of really competent experts, many of whom came from the public sector. There just weren't enough of them to go around, so it was incumbent on us and other providers of security solutions to build as much automation as possible into our software. With our product, customers can provide variables like salary, and we can show them how much they are saving.