|
Security professionals are constantly being asked to justify every security project. Security risks can often be difficult to measure and even more difficult to understand by people outside the department. The key to demonstrating improvement is to translate security information into business terms. The ability to identify the type, quantity, frequency, audience and presentation of appropriate security metrics can increase the value of a CISO or security professional to the management team.
More importantly, metrics provide a mechanism for IT Security Risk management and feed a process towards continuous security improvement. If you manage security through a unified business process you will be able to easily quantify improvements in security and prove risk reduction, create a repeatable practice, and ultimately demonstrate results over time. After all, you cannot effectively manage what you can't measure. If you are not yet managing security with measurable operational metrics, you will be soon. There's no escaping the fact that as part of any business, operational security metrics will become mandatory for demonstrating status and progress in this new business climate.
In the past, information security has been tactical and reactive as opposed to managed and measured. Due to the changing regulatory environment and the complexity of business today, organizations are facing increased accountability. To follow best practices, organizations must align, manage, and measure security around business operations. It will no longer be acceptable to simply declare "we have a change management process and if something isn't configured appropriately we find it and fix it." You will be expected to demonstrate that you are following this process and are on a path toward continuous improvement.
"According to the Robert Frances Group, collecting and reporting security metrics is an integral part of an enterprise security strategy. IT executives should examine their metrics collection practices to ensure that the metrics collected are useful and understandable and cover all necessary security aspects." Robert Frances Group, "Collecting Effective Security Metrics", Sr. Business Analyst, Chad Robinson.
If we walk the halls of most large corporations, very few will have any metrics posted on security. Why? The network groups have their statistics on availability, up-time, and issue resolution. The storage groups have their charts on the gigabytes of data backed up and successful backups completed. Historically, measuring security processes has been avoided. And, to be fair, it has been very difficult to do and the demand for accountability is fairly new. It's only recently that security professionals are being held accountable to consistently report security metrics to demonstrate improvement, assess an organization's overall security, and provide a repeatable measurement process mapped to business objectives to the executive team.
"According to a recent survey on security metrics practices conducted by the Robert Frances Group, RFG found that nearly all participants collected and reported metrics, but only a subset of the participants felt these practices were effective. In addition, almost no participants responded that metrics reporting was fully automated," said Chad Robinson, Sr. Business Analyst at Robert Frances Group.
The RFG survey results concluded that most security people were measuring viruses. 92.3% of respondents reported measuring the number of viruses detected in user files and in email messages. 84.6% of respondents reported measuring invalid logins and intrusion attempts. Spam detected/filtered was measured by 76.9% of respondents and spam not detected by 38.5% of the respondents. In summary, the majority of all respondents were measuring "security" by focusing on viruses, logins, spam, and intrusion attempts.
As illustrated in the table below, most participants collected and tracked metrics from products that make this process straightforward, such as virus and spam detection packages.
These metrics are an attempt to measure the effectiveness of specific technologies deployed. They are not designed to show information about current operational risk to the organization; they are meant to show some type of return on investment.
For example, a metric that demonstrates you are stopping 80% more spam can be used to justify the renewal of the contract for the anti-spam product. Similarly, if you're seeing an increase in virus detection and removal and a decrease in outbreaks on your network, this information can be used to justify the deployment of anti-virus software.
|
