Any organization that is developing or managing an information security program will inevitably face the question – how much is enough?
Regardless of the size, industry or complexity of an organization, knowing how much of an investment to make in security can be a challenge. There is no shortage of headlines, hacks, vendor recommendations and budgetary constraints, but none of these will answer the following common questions:
- How secure am I?
- Am I more secure than I was last year?
- How much should I be spending on security?
Now some of you are probably already thinking, shouldn’t an effective Risk Management program give me these answers? The answer is yes and no.
Risk Management is critical to the maturation of any security program, and is an effective tool for determining the deficiencies – and thus priorities – of the organization. It can even provide, relatively speaking, a measure of each weakness as a function of the organization’s risk tolerance. It provides clear direction and prioritization for security efforts based on a deterministic system of measuring threats, vulnerabilities and controls. What it doesn’t provide is a tactical view of performance against those risks.
Enter security metrics.
Where Risk Management is the car, security metrics are the car’s navigation system. Risk Management provides a steering wheel for setting direction, and gas for setting urgency. The navigation system will tell you how long it’s taking you to get where you’re going, and compare that to how long it should have taken you. These metrics are important in answering the questions above, but are also helpful in measuring overall security performance.
Determining an appropriate set of security metrics isn’t as easy as it sounds. Charting out the number of blocked port scans at your edge is pretty much worthless these days, as is the percentage of spam e-mail. Unfortunately these are the numbers that are readily available.
To develop a measurement system that will be useful, you need to build metrics to address two audiences; 1. You. 2. Your CEO.
The first set is important because as they say, you can’t manage what you can’t measure. Having a set of metrics that makes your life easier will save you time and provide the evidence you need to support your critical initiatives. It will also help with daily operations, like forensics, tuning and monitoring.
The second set is important because at some point, your CEO is going to ask you the aforementioned questions. The better you can answer them, the more likely your budget will be approved.
Here are some metrics to consider:
- Risk Assessment Coverage – How many of my assets (people, documents, facilities, applications, networks, etc.) have been evaluated by Risk Management within the past 6 months? Past 12 months?
- Percent of Changes with Security Review – How many of the configuration changes in my environment have been reviewed by Information Security personnel? Of those changes that weren’t reviewed, how many resulted in downstream rework or were the root cause of security violations?
- Mean-Time to Incident Discovery (or Recovery) – Of the organizational incidents classified as security incidents, how many did we discover (versus our customers, partners or other third-parties) and how long did it take? Secondly, how long did it take to recover from critical incidents?
- Patch Policy Compliance – How often are we violating our patch policy for critical security patches?
- Percentage of Trained Employees – How many of our employees have received effective Security Awareness Training? Of the personnel that have not received training, what is the percentage that have been involved in avoidable security incidents?
The above metrics go far beyond a typical firewall report, which does more to describe active threats than actual performance. Once you start trending these over time, you start to get a much deeper sense of true security maturity, rather than just raw data. You’ll also get a sense of progress, one way or the other.
(For some other ideas, check out the CIS Consensus Information Security Metrics)
Someone once said that if you don’t know where you’re going, you can’t get lost. That strategy is perfectly fine for the retired, vacationers and Jamaicans, but if you’ve got somewhere to be you need a plan.
Get your metrics right and the next time your CEO asks “how secure am I” you can say.. “No worries mon.”
It doesn’t take a security genius to figure out that the theory of preventing security incidents – from malware infestations and child porn cases, to bank fraud and databreaches – is a failed concept.
For years we have ignored, overlooked or rationalized the dramatic increases in both security spending and losses from cybercrime. Despite a 40 percent annual increase in information security budgets, the total of losses and costs from security incidents has increased 400 percent. This can only mean the following:
- We are spending our security dollars on the wrong things. If your company spends more on security hardware and software than it does on security policies, processes, measurement and analysis, it may be time to review your priorities. Security peace of mind comes from knowing exactly where your weaknesses are and the knowledge that you’ve effectively strengthened them. Ask your security hardware vendor to guarantee their product’s effectiveness – they’ll respond only with a smile. You may also be interested to know that the US Military spends more on analysts and communications than it does on guns and artillery.
- We are implementing the wrong things incorrectly. Whether it’s the use of default passwords on firewalls or misapplied IDS and SIEM rules, commonplace security hardware and software is falling down on the job. But it’s not doing it alone. Just like guns don’t kill people, firewalls don’t ALLOW ALL. Without a thorough, consistent Certification and Accreditation process, companies will continue to put hardware and software on the wire that does little to protect them, all while introducing new vulnerabilities.
- The wrong things, once implemented incorrectly, are not being assessed or measured for incorrectness. It is a well-known statistic that a significant majority of security breaches are made possible by the lack of effective patching of systems and applications, where patches have been available for six or more months. While poor configurations are released into the wild, effective assessments can reduce those risks. How well is your security infrastructure protecting your business? If you can’t answer this question quantitatively, it’s time to implement a system of regular assessment and measurement.
One of the most profound findings from 2011’s Verizon Business Data Breach Investigations Report (see image) was that 86 percent of databreaches were discovered not by the afflicted parties, but rather by the afflicted party’s customers, partners or business associates. This staggering number demonstrates that despite all security efforts, companies are doing an inadequate job of prevention (and detection, in this case).
The time has come to shift our efforts to detection and correction, or at least institute a better balance across these domains. Consider your bank, and what they consider their most valuable security controls. Rarely do you find armed guards at banks today, and most of them prefer glass doors. Inside, however, you’ll find cameras, panic buttons and dye canisters at every teller station. You can’t stop bank robbers, but you can stop bank robberies.
With all of the press around security incidents these days, blogs like this feel like beating a dead horse. Unfortunately, if this preaching weren’t falling on deaf ears the statistics would be headed in the other direction. So grab your conscience, some duct tape and a bottle of water, there’s work to do.
And grab a shovel, we need help digging this grave.