Using Analytics to Measure InfoSec Success

Introduction

As today’s companies become leaner and meaner, I see the use of performance metrics being used by many corporations to ensure that their productivity remains high and that the company’s employees are properly compensated.  One of the biggest challenges that I have faced as a security executive was to prove my organizations value to the business.  I was asked to objectively measure my success as a security organization.   Honestly, I was stumped for quite a while.  How do you measure success for a CISO?    Information Security can be difficult to explain to executive management.   How can we do a better job as a profession to demonstrate our business value to our companies?

Concept 1:  Vulnerability Management

The first concept was to measure the number of vulnerabilities in my environment and to demonstrate that the reduction in the number of vulnerabilities means that security has been improved.  This can be a very successful way to measure the success of your organization.  Better tracking, remediation and management of your vulnerabilities demonstrates to management that security as a process is being followed, that policies are being adhered and that the IT and Security organizations are working together to reduce risk.  What is the downside to measuring your success only by vulnerability management?  Well, legacy applications, new applications, new servers and M&A activities create an environment that is difficult to measure and trend to the positive side.  The measurement of vulnerabilities will always increase and decrease based upon these and other factors.  These swings are difficult to explain to management since they tend to want to see nice steady improvements, not violent shifts.   Make sure you can identify the spikes when using this tool.  What has your success been using vulnerability management to measure your organizations security value?

Concept 2:  Security Information Management

A few years ago, the security industry spent a lot of money and resources working with a set of products called security information management tools (SIM).  These tools promised the ability to correlate complex environments and reduce the amount of information for security related data.  SIM tools delivered for the most part.  They correlated vast amounts of data and provided useful information for the security organization.  Reports from these tools provided management with actionable information and clearly demonstrated the success of security organizations from many standpoints:

• User and Role based controls
• Virus Integration
• Firewalls and IPS Logging
• VPN/User Reporting
• System and DB availability

The challenge with these tools for many companies was the complexity of integrating the tool inside the company while creating usable reports.   The truly successful companies that implement SIM tools also implement a team of people that understand the business needs and can provide reports that are useful for the organization, not just security or IT. Deployment of a SIM tool does not guarantee success.  How successful have you been using SIM reports as the sole measurement of organizations performance?

Concept 3:  Risk Management

After working on several tools including SIM and Vulnerability reports, I developed a tool that measured broad risk across many fronts including vulnerability and SIM.  The nice thing about the broad view is that I could strategically look at spheres of influence outside of pure security and measure those as well.  Development is an example.  By developing a risk model, I could now begin to look at security processes across the entire enterprise and include them in the process.  This allowed me to work more closely with some of the other business units within the company building value.  Most executives DO want to do the right thing; they just need to understand what those issues are.  The risk tool helps many business line managers to understand how security can impact them and how they impact a corporation’s risk.   The risk model turned into the Security Posture Assessment, a nearly 900 question tool for measure broad risk in an organization.  The tool allowed one to plan where resources, whether people or money for tools, needed to be invested across the organization.  The tool provided a very easy to understand metric for executives to understand where we stood and what are game plan was to improve.    Have you used a risk tool at your company to measure the value of security?  If so, how did it work?

Conclusion

What is the right way to measure the value of security?  There is no right answer.  The best method to use is the one that works for you and your organization.  Remember, the security wheel…security is a process, not a destination.   I would love to hear back from you!   What ways did you use at your organization to measure that success?

Do you have an opinion?  I’d love to hear it!

• Security Posture Assessment - Key to a successful security program What is a Security Posture Assessment anyway? To put it simply, a Security Posture Assessment...
• Flight 1549: A Blueprint for handling Security Incidents I was watching the 60 Minutes interview with Captain Sullenberger and his flight crew on...
• Cheapest, Easiest and Most Effective Security - Security Awareness Training In my career I have been asked hundreds of times what single item is the...

• Guide to Measuring and Marking Tools pt 5
• Seven Tips for Securing Your Organization's Network from Spam and Email Viruses
• Managing Migraines Successfully

Tagged as: CISO, Risk Management, Security Information Management, Security Posture Assessment, SIM, Vulnerability Management