Any organization that is developing or managing an information security program will inevitably face the question – how much is enough?
Regardless of the size, industry or complexity of an organization, knowing how much of an investment to make in security can be a challenge. There is no shortage of headlines, hacks, vendor recommendations and budgetary constraints, but none of these will answer the following common questions:
- How secure am I?
- Am I more secure than I was last year?
- How much should I be spending on security?
Now some of you are probably already thinking, shouldn’t an effective Risk Management program give me these answers? The answer is yes and no.
Risk Management is critical to the maturation of any security program, and is an effective tool for determining the deficiencies – and thus priorities – of the organization. It can even provide, relatively speaking, a measure of each weakness as a function of the organization’s risk tolerance. It provides clear direction and prioritization for security efforts based on a deterministic system of measuring threats, vulnerabilities and controls. What it doesn’t provide is a tactical view of performance against those risks.
Enter security metrics.
Where Risk Management is the car, security metrics are the car’s navigation system. Risk Management provides a steering wheel for setting direction, and gas for setting urgency. The navigation system will tell you how long it’s taking you to get where you’re going, and compare that to how long it should have taken you. These metrics are important in answering the questions above, but are also helpful in measuring overall security performance.
Determining an appropriate set of security metrics isn’t as easy as it sounds. Charting out the number of blocked port scans at your edge is pretty much worthless these days, as is the percentage of spam e-mail. Unfortunately these are the numbers that are readily available.
To develop a measurement system that will be useful, you need to build metrics to address two audiences; 1. You. 2. Your CEO.
The first set is important because as they say, you can’t manage what you can’t measure. Having a set of metrics that makes your life easier will save you time and provide the evidence you need to support your critical initiatives. It will also help with daily operations, like forensics, tuning and monitoring.
The second set is important because at some point, your CEO is going to ask you the aforementioned questions. The better you can answer them, the more likely your budget will be approved.
Here are some metrics to consider:
- Risk Assessment Coverage – How many of my assets (people, documents, facilities, applications, networks, etc.) have been evaluated by Risk Management within the past 6 months? Past 12 months?
- Percent of Changes with Security Review – How many of the configuration changes in my environment have been reviewed by Information Security personnel? Of those changes that weren’t reviewed, how many resulted in downstream rework or were the root cause of security violations?
- Mean-Time to Incident Discovery (or Recovery) – Of the organizational incidents classified as security incidents, how many did we discover (versus our customers, partners or other third-parties) and how long did it take? Secondly, how long did it take to recover from critical incidents?
- Patch Policy Compliance – How often are we violating our patch policy for critical security patches?
- Percentage of Trained Employees – How many of our employees have received effective Security Awareness Training? Of the personnel that have not received training, what is the percentage that have been involved in avoidable security incidents?
The above metrics go far beyond a typical firewall report, which does more to describe active threats than actual performance. Once you start trending these over time, you start to get a much deeper sense of true security maturity, rather than just raw data. You’ll also get a sense of progress, one way or the other.
(For some other ideas, check out the CIS Consensus Information Security Metrics)
Someone once said that if you don’t know where you’re going, you can’t get lost. That strategy is perfectly fine for the retired, vacationers and Jamaicans, but if you’ve got somewhere to be you need a plan.
Get your metrics right and the next time your CEO asks “how secure am I” you can say.. “No worries mon.”
Early Christians were an organized bunch.
While other religions were floundering in banal castings of “good” and “evil”, Catholics were taking things to a whole ‘nother level. Although they didn’t become popular until the early 14th century, the 7 Deadly Sins proved to be a useful tool for theologians of the time. With such a variety of vices from which to choose, clergymen could condemn miscreants for anything from excesses to laziness. Who would have guessed that these same labels would have information security applications thousands of years later?
Now, I feel that I should clarify one point. While I did go to Sunday School as a child, I am not a religious individual. In fact, the last time I stepped foot into a church I was there to admire the architecture. My next visit should be along the lines of a bake sale.
All that being said, I too tend to be an organized person and categorizing things helps reduce the chatter in my mind. I also find that the 7 Deadly Sins have a rightful place in information security, as we find so regularly that businesses, practitioners and risk owners commit these “things that His soul detesteth”.
Without further ado:
- Lust – It continues to be proven time and time again that technology does not solve security challenges, yet there are individuals who find that shiny new piece of technology irresistible. It is the people and processes around your hardware and software that will determine how effective they are, regardless of what miracles they claim. It was not the sandals that allowed Jesus to walk on water.
- Gluttony – Some security practitioners and business owners do get it. In fact they get too much of it, and their employees pay the price. Your security controls should match your risks. And although we appreciate the intent of these enthusiastic individuals, please stop. You’re giving us a bad name. Security can be inconvenient for employees even when it’s done well, when it’s overdone it can be downright painful.
- Greed – Businesses will often claim that they can’t afford to spend money on security services. To this I reference the countless statistics demonstrating breached businesses that were unable to recover. The losses caused by cybercrime are increasing at a staggering rate. If you’ve got confirmation from a reliable source that it’s going to rain for forty days and nights, don’t build your Ark out of straw.
- Sloth – Inaction on the surface of a business may in reality be a symptom of other things, including lack of resources, lack of direction or lack of motivation. A healthy dose of awareness and education is typically needed at these organization, followed closely by good leadership. Executives should be setting the security “tone at the top”, and an effective Risk Management process should be defining security priorities. Information security is like religion, it’s a journey not a destination.
- Wrath – To be honest, I couldn’t come up with a good analogy for this one, but I can get a little feisty when Dunkin’ Donuts is out of hot chocolate. I confess.
- Envy – Information security is no place for blind faith. The business across the street may look like yours, but that doesn’t mean you have the same risks. And it doesn’t mean you should be implementing the same security controls. Understanding your own risks is the only proven method for protecting your business. Amen.
- Pride – “We’re well along with our security program, gentlemen.” “We’re audited all the time and we’re compliant.” “We’ve got that security thing under control.” The words of false prophets, these can be the most devious of all. Not only do these individuals deprive their people and organizations of objective assessment, advice and relief, their messages convey a false sense of security. These are the proverbial wolves in sheep’s clothing.
I was baptised at a relatively early age. Rocking a bowl cut and leisure suit, I even made Communion. And then through a little bit of hard work I learned that some assets are sensitive and need special security controls. It didn’t take an act of God.
If you are a business owner, a CFO or a security practitioner, or just know one of these individuals, I encourage you to re-read this list of mortal sins. If necessary, etch them into a stone tablet and carry them to the top of the nearest mountain.
It may just help you avoid the Apocalypse.
It doesn’t take a security genius to figure out that the theory of preventing security incidents – from malware infestations and child porn cases, to bank fraud and databreaches – is a failed concept.
For years we have ignored, overlooked or rationalized the dramatic increases in both security spending and losses from cybercrime. Despite a 40 percent annual increase in information security budgets, the total of losses and costs from security incidents has increased 400 percent. This can only mean the following:
- We are spending our security dollars on the wrong things. If your company spends more on security hardware and software than it does on security policies, processes, measurement and analysis, it may be time to review your priorities. Security peace of mind comes from knowing exactly where your weaknesses are and the knowledge that you’ve effectively strengthened them. Ask your security hardware vendor to guarantee their product’s effectiveness – they’ll respond only with a smile. You may also be interested to know that the US Military spends more on analysts and communications than it does on guns and artillery.
- We are implementing the wrong things incorrectly. Whether it’s the use of default passwords on firewalls or misapplied IDS and SIEM rules, commonplace security hardware and software is falling down on the job. But it’s not doing it alone. Just like guns don’t kill people, firewalls don’t ALLOW ALL. Without a thorough, consistent Certification and Accreditation process, companies will continue to put hardware and software on the wire that does little to protect them, all while introducing new vulnerabilities.
- The wrong things, once implemented incorrectly, are not being assessed or measured for incorrectness. It is a well-known statistic that a significant majority of security breaches are made possible by the lack of effective patching of systems and applications, where patches have been available for six or more months. While poor configurations are released into the wild, effective assessments can reduce those risks. How well is your security infrastructure protecting your business? If you can’t answer this question quantitatively, it’s time to implement a system of regular assessment and measurement.
One of the most profound findings from 2011’s Verizon Business Data Breach Investigations Report (see image) was that 86 percent of databreaches were discovered not by the afflicted parties, but rather by the afflicted party’s customers, partners or business associates. This staggering number demonstrates that despite all security efforts, companies are doing an inadequate job of prevention (and detection, in this case).
The time has come to shift our efforts to detection and correction, or at least institute a better balance across these domains. Consider your bank, and what they consider their most valuable security controls. Rarely do you find armed guards at banks today, and most of them prefer glass doors. Inside, however, you’ll find cameras, panic buttons and dye canisters at every teller station. You can’t stop bank robbers, but you can stop bank robberies.
With all of the press around security incidents these days, blogs like this feel like beating a dead horse. Unfortunately, if this preaching weren’t falling on deaf ears the statistics would be headed in the other direction. So grab your conscience, some duct tape and a bottle of water, there’s work to do.
And grab a shovel, we need help digging this grave.
As the owner of an information security firm, I spend a lot of time promoting security awareness and encouraging organizations to adopt an appropriate level of operational security (OPSEC) in their businesses. It has been proven time and again that humans have been and continue to be the greatest weakness in an organization’s security chain, primarily because the humans in question haven’t been given the right tactics, techniques and procedures (TTPs) to defend themselves, nor have they had adequate adjustments in attitude to want to do so. Today’s human firewalls tend to be as flawed as the firewalls plugged into countless datacenters.
I had breakfast this morning with a friend of mine who has been employed in various law enforcement agencies for all of his adult life. A highly certified and accredited individual, my friend (who I shall refer to as Harry) has worked in counter-terrorism, forensics, explosives interdiction, corrections and firearms training, among other things. Harry and I met for breakfast to talk about business, but were inevitably sidetracked by the latest juicy gossip of police raids on terror cells, unpublicized databreaches and gangs using the Internet to auction illegal firearms.
Over a couple of breakfast sandwiches we continued to talk about the problems that citizens and local businesses were having with gangs, drugs and the illegal firearm trade that has become so active in the Capitol Region. I listened as Harry shared story after story of small businesses that were being increasingly terrorized by racist groups, crime and violence. For confidentiality purposes I can’t share specifics, but I can tell you that I was alarmed at the frequency and severity of the crimes that were occurring. As I processed all of this new information it occurred to me that if John Q. Public really knew what was going on in law enforcement, they would never leave their house.
And then it occurred to me – what if the same was true of information security?
I recently read an article that suggested that there should be more databreach notifications, rather than less. The idea behind the article was that with more notifications, we would learn more about current exploits and be better at addressing the threats and vulnerabilities behind them.
But imagine for a moment that the details of every databreach, malware outbreak and security incident were at once made public. One of two things would happen:
- With so much information made suddenly available, there would be no way to process it, and it would be useless. The number of databreaches and security incidents that go unreported is staggering, beyond comprehension in any meaningful way. The sheer volume of data would desensitize all but the most determined practitioner.
- The computing world as we know it would stop. I liken it to a mass, global outbreak of the AIDS virus – there’d be a whole lot less sex going on. Web properties like Amazon, eBay and Facebook would cease to exist, as would their trading partners. Credit cards would disappear. Banks would shutter and dissolve. Security is based on trust – when that trust is shattered, the systems that are built upon an implied system of security cannot survive.
The only way to prevent one of these two outcomes is to increase our awareness while improving our ability to identify and deal with our risks. Our very way of life relies on this.
And while it may seem far-fetched to think of our world recessing to a time before the Internet, before credit lines or before the first financial institutions, remember that there’s an ugly world going on out there. You just don’t know it yet.
As the owner of an information security firm, I am frequently faced with the challenge of figuring out who to deliver our message to. Most security practitioners would respond that security is everyone’s responsibility, and I don’t disagree. However when you’re in the business of marketing security services, and not just implementing, that shotgun mentality will just make a big, messy hole.
Yesterday I overheard my business partner on the phone with a prospect, a Compliance Officer for a large credit union. As my partner’s pitch raised to a crescendo, he was suddenly interrupted, replying “so that’s not your responsibility? So… I should talk to IT?” No matter how successful you are, you’re going to get your share of objections, rejections and denials. But deflections are different, particularly in security. Let me explain.
For a long time, information security was considered an IT problem. Why? Because the solutions – things like firewalls, antivirus software and access control lists – were only available from IT. This system worked for a while because the controls were well matched for the threats. But it created an unfortunate precedent, one that would eventually disarm businesses everywhere.
Fast forward to 2011. Today’s threats don’t look or act the way they did ten, five or even two years ago. And even though today’s threats are still rudimentary in nature, they cleverly outwit traditional security controls by avoiding them altogether. The firewalls and antivirus software that made IT synonymous with security are failing, and it’s causing a new problem – an identity problem. IT is not your security team. But if IT doesn’t do security, who does?
It’s not an easy answer, but if you can find the risk owners, you’re on the right track. Here are some suggestions, in order of greatest liability:
- At the highest level, business owners are responsible for the health and welfare of their employees, clients and businesses, and as such are implicitly accountable for ensuring the security of business assets. Whether it’s awareness training or data protection, the buck stops here. Of course, each business has unique risks, and every security program will, and should look different. Business owners are the primary risk owners.
- Next come asset owners. This is a term borrowed from ITIL and other organizational frameworks that seek to identify the chief decision makers for information and other systems. Asset owners, after business owners, are next in line for risk accountability, because they make decisions about business assets. The Human Resources Manager, the Comptroller, the Director of Development – these are all good examples of asset owners. This could be a large group of individuals, depending on the size of the organization.
- The next in line would come those involved with compliance or audit. After all, it is these individuals that are measuring how well regulatory, statutory, commercial and other legal requirements are being met.
- Last are the employees of the business. Each and every member of the organization has a role on the security team and is a cog in the security machine. It is the responsibility of each individual to understand their role and responsibilities and implement the required behaviors to the best of their ability. Employees are the organization’s biggest, brightest and most capable security control – when they fail, it becomes a major weakness.
So where does that leave IT? As a service provider, your Information Technology team is simply doing what they are asked to do. Whether your security program is strong and mature or non-existent, remember that it wasn’t (or shouldn’t be) IT that made it that way. IT’s job is to provide technology services that meet specific Service Levels to their clients – the departments, end users and asset owners in your business. They’ll be happy to secure your assets, but only after a business leader, asset owner or Compliance Officer has made the critical decision to do so.
So the next time someone calls you and asks if you’d like to talk about information security at your company, you know what to say.