Securing the enterprise is more than making sure everything is patched. Metrics are an essential tool for knowing where you’ve been, where you are and where you’re going.

If you haven’t learned that yet as an administrator, you’ll learn the hard way it will be expected from the CEO.

If you’re not already a metrics master, you’ll learn some valuable lessons from a security manager who writes under the pseudonym Mathias Thurman for Computerworld U.S.  The metrics he collects have to be specific, meaningful, actionable, repeatable and time-dependent (for those who can’t see it, they spell SMART).

Note that just because his company has outsourced its operations centre hasn’t stopped “Thurman” from setting up a security operations centre to keep on top of IT security. Presumably, everything could have been turned over to a managed security provider, but his firm decided that should be kept in house.

So once a quarter he produces a report on the patch and antivirus compliance of the DMZ and production infrastructure. Once or twice a year there’s a report on the amount of security budget spent per employee, the number of security head count as a percentage of IT, and the percentage of security budget as a percentage of the IT budget. These are compared with estimates of spending by competitors and other industry analyst benchmarks.

Some metrics come from logs. But others are complied by Thurman himself with the help of his security analysts because the company’s trouble ticket system isn’t sophisticated enough to give the metrics he wants to track incidents. This way malware trends and false positives can be closely watched and reacted to.

In other words, sometimes you have to do things yourself. But the metrics they generate will help a good security administrator get the numbers right.