Using Analytics to Measure InfoSec Success

By Mark Davidson | February 16, 2009

Introduction

As today’s companies become leaner and meaner, I see the use of performance metrics being used by many corporations to ensure that their productivity performance metricremains high and that the company’s employees are properly compensated.  One of the biggest challenges that I have faced as a security executive was to prove my organizations value to the business.  I was asked to objectively measure my success as a security organization.   Honestly, I was stumped for quite a while.  How do you measure success for a CISO?    Information Security can be difficult to explain to executive management.   How can we do a better job as a profession to demonstrate our business value to our companies?

Concept 1:  Vulnerability Management

The first concept was to measure the number of vulnerabilities in my environment and to demonstrate that the reduction in the number of vulnerabilities means that security has been improved.  This can be a very successful way to measure the Vulnerabilitysuccess of your organization.  Better tracking, remediation and management of your vulnerabilities demonstrates to management that security as a process is being followed, that policies are being adhered and that the IT and Security organizations are working together to reduce risk.  What is the downside to measuring your success only by vulnerability management?  Well, legacy applications, new applications, new servers and M&A activities create an environment that is difficult to measure and trend to the positive side.  The measurement of vulnerabilities will always increase and decrease based upon these and other factors.  These swings are difficult to explain to management since they tend to want to see nice steady improvements, not violent shifts.   Make sure you can identify the spikes when using this tool.  What has your success been using vulnerability management to measure your organizations security value?

Concept 2:  Security Information Management

Security Information managementA few years ago, the security industry spent a lot of money and resources working with a set of products called security information management tools (SIM).  These tools promised the ability to correlate complex environments and reduce the amount of information for security related data.  SIM tools delivered for the most part.  They correlated vast amounts of data and provided useful information for the security organization.  Reports from these tools provided management with actionable information and clearly demonstrated the success of security organizations from many standpoints:

  • User and Role based controls
  • Virus Integration
  • Firewalls and IPS Logging
  • VPN/User Reporting
  • System and DB availability

The challenge with these tools for many companies was the complexity of integrating the tool inside the company while creating usable reports.   The truly successful companies that implement SIM tools also implement a team of people that understand the business needs and can provide reports that are useful for the organization, not just security or IT. Deployment of a SIM tool does not guarantee success.  How successful have you been using SIM reports as the sole measurement of organizations performance?

Concept 3:  Risk Management

Risk Measurement

After working on several tools including SIM and Vulnerability reports, I developed a tool that measured broad risk across many fronts including vulnerability and SIM.  The nice thing about the broad view is that I could strategically look at spheres of influence outside of pure security and measure those as well.  Development is an example.  By developing a risk model, I could now begin to look at security processes across the entire enterprise and include them in the process.  This allowed me to work more closely with some of the other business units within the company building value.  Most executives DO want to do the right thing; they just need to understand what those issues are.  The risk tool helps many business line managers to understand how security can impact them and how they impact a corporation’s risk.   The risk model turned into the Security Posture Assessment, a nearly 900 question tool for measure broad risk in an organization.  The tool allowed one to plan where resources, whether people or money for tools, needed to be invested across the organization.  The tool provided a very easy to understand metric for executives to understand where we stood and what are game plan was to improve.    Have you used a risk tool at your company to measure the value of security?  If so, how did it work?

Conclusion

What is the right way to measure the value of security?  There is no right answer.  The best method to use is the one that works for you and your organization.  Remember, the security wheel…security is a process, not a destination.   I would love to hear back from you!   What ways did you use at your organization to measure that success?


Do you have an opinion?  I’d love to hear it!

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Live
  • MySpace
  • Ping.fm
  • StumbleUpon
  • email
  • Technorati
  • Tumblr
  • Fark
Blog Traffic Exchange Related Posts
  • Cheap FrugalCheapest, Easiest and Most Effective Security - Security Awareness Training In my career I have been asked hundreds of times what single item is the holy grail of security.  Is it a firewall?  Is it an Intrusion Prevention System (IPS)?  Perhaps it is a Single Sign-On Tool (SSO)?  No, contrary to what most vendors say, the cheapest, easiest and most......
  • The risks of SHARING! As you've probably heard or read in the news, there was a recent leak of some extremely sensitive Congressional documents through a file sharing service.  This leak highlights some of the inherent risks in the use of such services for moving data between users. In the past, email has been......
  • Cloud ComputingEnsuring your SaaS Vendor is Secure /caption] Cloud computing and Software as a Service (Saas) are quickly replacing software vendors in today's marketplace.    Industry veterans such as Gartner are saying that over 25% of new software purchases will be using SaaS and not the traditional model.  The power of communications, support, cost and deployment ensure this......
Blog Traffic Exchange Related Websites
  • 5 Reasons to Implement a Managed IT Services Solution Information Technology services are essential to the success of every organization, large or small. With increasingly competitive business environments, CEOs and small business owners are under great pressure to maintain a highly qualified staff and to make sure their technology is obtaining a better ROI than their competitors'.These goals......
  • Successful Investing Tips and Techniques The true, most basic motivation behind investing is to grow our investment. People who have invested before will take their time, looking at the differing companies and the market, trying to predict how a stock will do in a year or two. Those investors whom are without the experience to......
  • Getting to the Truths of Stock Trading There are thousands of fallacies about the stock trading discipline that arouse fear in a new trader's mind and prevent others from even trying their hand at it in the first place. As a successful trader for over 15 years, I prefer to take a more positive approach and......

Comments

« | Home | »