It’s Time to Stop Measuring Security Success by Only Internal, Readily-available Metrics
As the budget planning season approaches, discussions of how to measure security success to justify resource allocation or expansion return to the agenda. There are plenty of great articles that can help you identify security metrics to demonstrate the value of security programs, but before leaping to the selection of metrics, we must first define success. This can be more of an art rather than science.
Security tools are also good at telling us how many attacks we’ve thwarted, how many systems we have hardened or how many authentications require a second factor. We also get reports on how our controls measure up to our policies through compliance audits. While it’s easy to rely on metrics that are readily available, how does one determine which metrics are actually a measure of security success as it pertains to the overall business priorities?
Mature organizations tend to focus on measuring risks and how they are being mitigated, which is ultimately what IT security is all about. But even the best organizations can fall into the trap of evaluating themselves against the wrong criteria.
To really measure achievements in security programs, we must first define what success looks like.
Who defines success?
Security teams, like any other team, will gravitate towards self-definition of success. But if budget justification, or even higher aspirations such as business enablement, is the objective, then success factors are not solely determined by internal stakeholders. Instead, these factors must come from the needs of the business. The problem is that the business has no idea how to describe what they want from security other than “don’t get hacked” and “make the auditors happy.”
One easy-to-use model that may help bridge the gap between security teams and business managers to collaborate on goal planning is called “GOSPA.” It’s an acronym that stands for Goals, Objectives, Strategies, Plans and Actions. It is hierarchical in nature so that each layer supports the one above it. So, for example, you could start with a realistic goal such as:
Minimize the risk of a data breach or information loss to the standards of peers within our industry.
This could then be built into objectives such as:
• Reduce the time to complete system updates (application of patches) by 50%
• Increase the use of two-factor authentication to cover 100% of sensitive data
• Implement privileged account management for all administrators
Objectives have an associated strategy to accomplish them, subdivided into plans, which are then broken down into specific actions or tasks for workers to carry out.
While strategy and actions will drive the overall business success, objectives are the measurable component and these are what you need to define with your business relationship manager. Education on the costs to achieve the agreed upon objectives is also a step in this process. If decision makers balk at the costs, then there is room to revise the objectives so they are realistic for the business.
Measure for business health
Working with the business is a two-way street. While it is necessary for security to educate business partners on what is needed to achieve goals, the business must be prepared to deliver specific plans and priorities to the security team as well. In other words, the business must share the measures of their own success.
That information must inform the planning and priorities of security. Current budgeted items and projects must be reconsidered at least annually to determine if they are necessary and align with the business plans.
For example, if you blow your entire budget on next-generation firewall upgrades, but it turns out that the mid-year business initiative to engage customers better with a new mobile app has a rogue administrator that is selling personal information, then security is misaligned. With the rapid pace of digital transformation, it’s crucial to remember that the timeframe to pivot security accordingly is shrinking as businesses are driven by competitors to become more agile in their response to ever-changing market demands.
The art of measuring security success comes down to this business alignment. It isn’t always an obvious one-to-one match, but the effort must be made nonetheless. Increasingly, security will be driven to “shift-left” by the DevOps (or DevSecOps) movement. It’s time to stop measuring security success by internal, readily-available metrics, and leverage shared objectives to drive greater alignment with business priorities.