Saying you’re secure is one thing; having the metrics to prove it is another, particularly when it comes to justifying security budgets.
Having metrics to focus on can make these conversations easier, security pros say.
But what metrics should security professionals think about to prove the strength of their team? Several people shared their ideas with SecurityWeek.
When it comes to dealing with upper management, cost and compliance are the magic words, Rich Mogull, CEO of security advisory firm Securosis, told SecurityWeek.
“In today’s environment I would focus on two things,” Mogull said. “First, focus on metric showing compliance and how you are maintaining that compliance over time and at what cost. Reducing deficiencies over time is a really good one.”
“Then focus on things that demonstrate operational efficiency,” he said. “Things like reducing helpdesk calls which actually helps reduce overall cost to the organization. Or patching more efficiently and again at lower cost.”
Tom Rabaut, an analyst with RedSeal Systems, listed a number of metrics security teams should pay attention to – from the number of vulnerabilities on systems exposed to the Internet and extranet partners to the number of systems exposed to external networks that allow access using accounts not managed by a centralized authentication server. Still, he noted that there are no specific metrics that are best for communicating to executives. There are however, some things he contended security pros should keep in mind when communicating any metric.
“Frame the metric with a narrative,” he said. “What is the objective of the metric? If it pertains to a specific threat then explain the threat. What is the goal of the metric? And should it be increasing or decreasing?”
He also recommended using scorecards to frame the metric in the context of the business. Reporting the metric by business unit or business service is a good example and it communicates the metric in a context that is more applicable to executives, he said.
Joe Gottlieb, CEO of Sensage, recently sat on a panel with Rabaut at the Hacker Halted Conference on the subject of metrics in Miami two weeks ago. In an email to SecurityWeek, Gottlieb said Sensage customers regularly ask the company to monitor everything from the number of alerts, user access behavior and the number of downloads by users, with the last item being used for comparison purposes to determine if a computer has been compromised by botnet malware.
“Security Metrics are really difficult to demonstrate,” declared Andrew Plato, president of IT consultancy Anitian Enterprise Security. “Security just does not lend itself to clearly defined metrics. There are some basic technical metrics that can be looked at: number of incidents, number of virus outbreaks, and so forth. These can be translated into a monetary expense with some estimation. But those are always going to be based on a lot of assumptions.”
“I think the best metric is – what does your third party assessment say each year? A strong security team should be getting strong marks from a third party assessor,” he said. “That is really the ultimate metric.”
