Security Experts:

Tips for Leveraging Security Metrics

My previous column on security metrics seemed to generate quite a bit of interest.  This tells me that metrics is a topic that, while challenging, is also important and at the top of the priority list for security organizations.

An unfortunate, though timely news story brings me an apt analogy for this week’s piece.  A few weeks back, a woman entered the lion’s den at the Bronx Zoo.  This was a poor decision that put the woman in an extremely dangerous situation.  Fortunately, she escaped unharmed.

What does this story have to do with security?  A good security program will keep the organization it is charged with defending out of harm’s way.  While this seems obvious, in practice, it’s not so easy to do consistently.  While there are many tools that can help here, let’s focus on using security metrics for this purpose.  In other words, how can we use security metrics to keep us out of the lion’s den?

In this spirit, here are five tips for leveraging security metrics to keep your organization out of the lion’s den:

1. Keep stakeholders informed: Regardless of your security organization’s maturity level, most key stakeholders want an accurate read on the security program more than anything else.  That’s the case even when the program is not as well-oiled as it should be.  Executives, management, customers, partners, and other stakeholders want to know that the security team is continually maturing and improving, and that they are actively reducing and mitigating the risk that the organization faces.  How the team is tracking in relative terms and when and how it will get to the desired level of maturity is typically more important than where the team is today in absolute terms.  It is precisely because of this that developing meaningful, relative, clear and concise metrics is so important.  Allowing stakeholders to easily track your trajectory reduces doubt and the volume of ad hoc questions and inquiries the team will get.  This, in turn, helps to keep the security organization out of the lion’s den of uncertainty and lack of confidence that poor metrics creates.

2. Monitor risk:  The security organization’s responsibility, first and foremost, is to reduce and mitigate risk to the organization.  As you can imagine, it’s much easier to do so when an effective means by which risk can be measured is in place.  This is one area in which metrics can provide great advantages by giving us a framework through which we can track and monitor risk over time.  Doing so requires taking the time to understand which risks take the highest priority when it comes to measurement, and subsequently devising a means by which those risks can be measured over time.  This is not a trivial undertaking, but it is one that pays huge dividends.  When done properly, measuring risk allows the organization to keep an eye on areas where risk may be rising to unacceptable levels, potentially putting the organization into the lion’s den.  Effective risk metrics are another great way to keep the security team out of that dangerous enclosure.

3. Monitor progress:  If you’ve made some good choices, your security organization will mature and improve over time.  But all of that effort is for naught if you don’t have an effective way to measure that progress.  Developing the right progress metrics isn’t an easy task, but it is a worthwhile one.  Once you prioritize the list of functional areas that are important to your stakeholders, you will need to develop objective measurements to track and trend the team’s progress.  These measurements will need to stay consistent over time.  They will also need to be understandable and relatable to your stakeholders and evaluators.  More important than where the team finds itself today is that it shows a consistent upward track.  If progress in specific functional areas begin to stall out or recedes, those areas will need to be addressed.  Having the ability to measure continually and to efficiently identify snags along the way can help keep the security organization out of the lion’s den that results from stagnation.

4. Benchmark:  While many categories of metrics compare the organization to itself over time, performance metrics are not one of those categories.  Before we can discuss performance metrics, we must discuss the topic of benchmarks.  Benchmarks provide us a way to understand where we sit compared with peer organizations, industry standards, third-party organizations, and best practices.  While there are no hard and fast rules for finding the benchmarks that suit the organization, it is generally helpful to look at where organizations that are of a similar size, budget, geographic location, and industry fall along a number of performance criteria.  However you decide to slice this data and whatever sources you opt to get it from, it should remain consistent throughout your reporting to ensure that performance is measured against a constant scale.  Benchmarking is the first step towards staying out of the lion’s den that results from poor performance metrics reporting.

5. Monitor performance: Once the appropriate benchmarks have been determined, the security team can set about measuring its performance.  It goes without saying that it is important to be as objective as possible during this pursuit.  The ideal performance metrics are objective and analytical - operating on precisely the right subset/slice of data.  How these metrics are devised will depend partially on the benchmarking that has been done and partially on stakeholder guidance.  Regardless of what set of performance metrics is agreed upon, they should be reported against consistently with an eye towards continual improvement.  If performance begins to drop in one or more areas, that’s a sign that the security organization could be headed for the lion’s den.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.