Cracking the Code of Silence on Meaningful Security Metrics

Tuesday, December 06, 2011

Elizabeth Ireland



Over the last year, the emergence of a new, more sophisticated set of security threats has fundamentally changed enterprise security.

Google, one of the most savvy software companies in the world, was successfully hacked last year by highly structured, targeted threats that only the most skilled forensics experts were able to detect.

Events similar to this, including the recent Sony breaches, have been repeated several times since against equally sophisticated, technically adept firms. 

The security implications of this trend for enterprise cannot be overstated, yet enterprise security practices are still closely guarded secrets. Most companies carefully avoid sharing any information about their security infrastructure even with other security professionals, fearing that the information may be used against them in a cyber attack.

The problem with this ‘code of silence’ is that there is no way for companies to ensure that the security tools and processes they are using are providing adequate protection -- because there is no way to measure the entire security infrastructure against industry standards.

Executives responsible for safeguarding a company’s critical information assets are inundated with data about various IT systems and security operations, but often they don’t have the tools to effectively monitor and assess complex security and compliance initiatives or communicate with stakeholders in a relevant and actionable context. 

This problem is very much like asking the chief financial officer of a firm to grab a clip board in order to manually collect and add up all the different pieces of information needed to create an integrated view of the company’s financial performance. It seems unfathomable, but that is exactly the situation facing many IT executives responsible for safeguarding critical information assets.

Modern enterprise business tools have evolved in response to increasing business complexity. Today, finance and other line-of-business executives use a wide range of tools -- including enterprise resource planning (ERP), customer relationship management and supply chain management -- to deliver actionable, trusted intelligence about their company’s finances and business processes.

These tools enable collaboration across the organization and provide fact-based metrics about how well an organization performs against financial and operational goals.

Business tools also help executives from business units provide the boardroom with visibility into key performance indicators (KPIs) so that they can better protect the company’s financial assets. Business tools also help key stakeholders understand how they are performing relative to industry peers and industry standards.

The needs of IT executives mirror the requirements of well-established financial models. These executives require similar tools to provide visibility into relevant key metrics at any point in time and reporting models that allow them to develop and communicate to all stakeholders regarding the relative state of enterprise security efforts.

IT executives need tools that allow them to reliably and regularly assess security and regulatory compliance across enterprise networks against their organization’s goals, again at regular intervals.

They must be able to communicate detailed and very technical information across the organization in a format that allows executives at all levels of operations to understand their respective roles in protecting information assets, and the information has to be known to be reliable and consistent.   

Strategic information security metrics can provide CISOs with the same timely, actionable information that integrated financial reporting and management systems offer the CFO. They can enable the IT organization to move away from self assessments and periodic surveys to deliver objective, fact-based data that better identifies risk levels and prioritizes corrective actions. 

The key ingredients to all effective performance management processes are metrics and scorecards. However, metrics and measurements are two vastly different concepts. If all the executives in your business came to a meeting with their own interpretation of your organization’s performance based on measurements they collected from their area of expertise, they would spend more time reconciling their various views than determining the appropriate actions to improve performance.

Measurements are generated by tabulation and they provide specific views of individual factors. Metrics, on the other hand, are generated through analysis and provide a broader perspective when compared to measurements.

While metrics are derived from measurements, they add critical contextual information for comparison to a predetermined baseline or to trend data over time. Effective metrics communicate the state, quality and effectiveness of internal controls either against a baseline or against business objectives.

Deriving consistently calculated metrics over time proves the validity and efficacy of the controls so that management has confidence in the process. Visual scorecards based on factual, repeatable metrics also allow management to review performance against internal controls.  

Viewing auditable metrics in a scorecard format allows everyone in the organization to understand the correlation between actions and measured results. Truly useful metrics help provide the insight necessary to make better decisions and are a key component of all risk and compliance programs.

Financial services companies were among the first to implement security initiatives because understanding security risk is critical to the survival of their businesses -- particularly as more financial transactions take place over the Internet.

These organizations use metrics initiatives to create trusted, auditable data about security policy compliance and risk management initiatives required by their heavily regulated and competitive industry.

In addition to providing an effective gauge of internal controls, fact-based metrics can also provide the foundation for industry benchmarks, allowing businesses to measure the performance of their internal controls against others.

Consistently derived metrics, if they can be stripped of all company specific information and transmitted securely, can provide critical visibility into the efficacy of management controls, especially when compared to companies of similar size or others in the same industry or geographical area.

For many companies, however, establishing security metrics remains a difficult task. Some businesses still rely on spreadsheet-based data collection processes which are resource intensive, difficult to aggregate, and prone to human error.

Expensive business intelligence platforms are another option, but these can be cumbersome and difficult to implement. In addition, the expense associated with these systems often places them beyond the reach of smaller enterprises.

The secrecy surrounding security and compliance programs compounds these problems. This ‘don’t ask, don’t tell’ policy regarding everything connected to enterprise security and compliance matters prevents companies from sharing fact-based information the tools and processes that are most effective.

It’s ironic, but security policies themselves make it difficult for management to understand the relative value of various security investments, to pinpoint areas of risk, and to translate that information into continuous security improvements.

Effectively delivered information security metrics are rapidly becoming even more critical to building and maintaining a competitive advantage.  Almost every company across the globe relies on the Internet for some part of their business process, and many companies use the Internet for almost all of their business.

The myriad advantages available to online businesses also come with a growing number of increasingly complex security and privacy risks.

An effective security metrics program protects competitive advantages contained in intellectual property, consumer privacy and critical financial information and raises security awareness across the enterprise.

Businesses of every size have to find a cost effective way to rapidly build, improve, and, most importantly, share security information to cope with the risks posed by cyber criminals and cyber terrorism.  

Possibly Related Articles:
Enterprise Security Risk Management Security Strategies Security Threats metrics Architecture
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.