The CIS Consensus Information Security Metrics benchmark is perhaps the closest thing the industry has to a set of standards for security metrics today. Experts warn against measuring aspects of security that may not be meaningful to the business. An emerging class of tools for security posture management (SPOM) is emerging, but the market hasn’t taken off. Experts say there is still a big gap between people, operations and compliance people, people, compliance people and security people, experts say. One promising way to get some security metrics is to benchmark one company’s state and processes relative to others, expert says.”]
Source: https://www.darkreading.com/analytics/searching-for-security-s-yardstick