The government has suggested many ways to use metrics to measure the effectiveness of cybersecurity investments, but who should be using these measurement tools – and whether doing so should be required – remains open questions that will affect the scope and movement of these plans.
Industry remains somewhat divided on the role of metrics, while Republican lawmakers appear willing to mandate their use for federal agencies, setting up a debate on who should be required to use them and what impact those assessments should have on private businesses.
At the center of this debate is the framework of cybersecurity standards issued three years ago by the National Institute of Standards and Technology. The NIST framework was issued under an Obama executive order, which set up a voluntary process with industry to develop the framework and promote its widespread use….SOURCE