A series of events converged during the past few weeks that reemphasized the need for our industry to do a better job of establishing measurable and repeatable processes.
President Trump’s cybersecurity executive order included radical suggestions like patching the most important vulnerabilities, prioritizing critical assets and replacing infrastructure that cannot be secured.
I attended a cybersecurity insurance conference that highlighted one of the greatest barriers to effective policy writing is the ability to document and demonstrate effective practices and the level of cyber risk exposure presented by an enterprise.
The Wannacry ransomware attack hit Windows systems that contained unpatched, known vulnerabilities. Finally, a recently published report captures a day in the life of a security practitioner, which unsurprisingly reveals the vast majority of practitioners are overwhelmed and highly stressed with the daily treadmill of threats and vulnerabilities.
So, what are we doing wrong? Although recommendations like prioritizing patching of vulnerabilities that expose the most important assets and upgrading un-securable infrastructure can seem obvious, the reality is that achieving those goals is far from simple. In many instances, enterprise CISOs are pulled in every direction, dealing with all of the challenges of protecting a large-scale business running on complex legacy environments.
It is all too easy to get lost in the noise, trying to burn down the long list of issues each day, only to arrive the next morning to a whole new pile of problems. While machine learning and incident response automation are great productivity boosters, it has been well established that you cannot effectively automate processes that you can’t measure.
It’s time to get it together. That doesn’t mean fixing every issue in an instant. No executive team or board realistically expects an overnight turnaround. The problems and issues were not created overnight and they cannot be fixed overnight.
The focus needs to be on continuous improvement concepts that have been around for decades. Although cybersecurity has a lot of unknowns and variability, from a process improvement point of view, it is fundamentally not that different than other critical enterprise processes. It means establishing the right measurement criteria, assessing performance against that criteria, establishing a plan to achieve measurable goals, and tracking to that plan. For the sales side of the house, there are pipeline, activity and closing reports. On the financial side, there are P&Ls, balance sheets and income statements. Operations has productivity, quality and safety metrics. Performance of these important processes are measured, adjusted and incrementally improved on a daily basis by those charged to manage them.
In cybersecurity, the first step is measuring where you stand and having a plan to get to where you want to go. Start with an established framework like the NIST Cybersecurity Framework, and then establish a top level scorecard of metrics with underlying sub metrics at a more detailed level. Each metric should be associated with minimal and optimal goals, timelines for progress, and an owner responsible for its success. Top level scorecards can be used by CISOs and boards to measure progress, adjust resourcing and drive the program at a strategic level. Lower level metrics and scorecards can be used by operational teams to manage and improve their respective functions. Established and consistent metrics also provide goals for practitioners, providing a mechanism for performance measurement, compensation and reward. For example, CISOs may measure metrics associated with phishing prevention at an enterprise level, the person in charge of security awareness will measure success of various training programs, email administrators measure the success of blocking phishing emails before they enter, and line of business managers can track to a metric of their respective group’s success at identifying and reporting suspect emails to security operations. Each metric is established at the right level, can be tracked, and roll up to the more strategic levels. On the front lines, a lot of these metrics can be gamified to create some friendly competition amongst peers, leading to improved performance and reduced risk.
An important activity in parallel with establishing the right set of measurement criteria is to get your arms around all that complexity and legacy. Identify assets, their criticality, loss impact, ownership, technical profile with regard to ability to secure, threat detection/protection coverage and vulnerability identification coverage.
The second step is establishing the plan and actual execution against the plan, which is a topic for another day. Planning and execution are obviously not trivial, but with the right measurement framework in place, it becomes a structured process that drives an incremental continuous improvement process. The ability to know where you stand and where you need to get to will evolve the mode of operation from chaos to organization. It will also highlight areas of urgent need that require immediate resourcing and attention to get to minimally acceptable levels.