To help you communicate your security program’s effectiveness, I’d like to share my first-hand experiences and thoughts on why metrics are crucial to your security program and how they should be presented to your executives and board members.
Metrics must tell a story
Most chief executive officers (CEOs) and board-level executives assume that the security team is doing its job. No one goes out of his or her way to build an insecure network, but the metrics that matter are ones that tell a story in the context of a business reality. That story shows where things stand and justifies an action that will improve business performance. Those are the metrics that matter to the CEO. Part of your job as a security professional is to know which metrics are important for the situation at hand.
Metrics describe problems and point to solutions
For example, say that you’re head of security for Acme Widgets, and you recognize an issue that requires a high-level decision. You request a meeting with the board. You might begin by explaining how computer security affects the business. You’ve had malware outbreaks that caused widget production lines to shut down six times in the past year, and each shutdown resulted in a median cost of $150,000 in lost production and remediation. A root-cause analysis of those incidents revealed that all six resulted from malware infections on desktops initiated by phishing attacks. Further analysis revealed that they all came from the same business unit. Additional interviews showed that the security requirements for this group do not match their accessibility requirements.
You then recommend changing the desktop environment. That will cost $XX, but in the upcoming year it will save the company $XXX. Furthermore, you offer to report back in six months about whether the savings have materialized and possibly recommend that this approach be extended to other parts of the company. In the course of your presentation, you move through slides, and each slide is based on an underlying data point. Taken together, these data points describe a problem and point to a solution that is available if Acme Widgets makes a change or takes an action.
Cost projections back up your suggestions
Here’s another scenario where metrics tell a business story. Acme Widgets has been using an internal cloud for a year. Now, it wants to expand cloud services to business partners. As head of security, your first instinct might be to say, “Don’t do that.” But the CEO has a business plan, with numbers showing how much money the company will make. As the CISO, you can say, “This is great, and the security team looks forward to helping.” You can then note that when the cloud system went live for internal use, the incident response rate tripled, and making it available to business partners is likely to at least triple it again. Revenue and cost projections should factor in as resources needed to handle the anticipated increased volume of incidents. That will cost $XX. In this way, you’re being a team player, offering a positive analysis with metrics to back up your points.
Security professionals must be completely tuned in to what’s important to the business. If you work for Acme Widgets and your security team has absolutely zero impact on widget production, you had best polish up your resume. But if it turns out you do have a potential impact on widget production, your security metrics must show that.
My favorite metric
So I must admit that I have a favorite metric that has proven to be useful in many situations. You should track the time between a reported vulnerability and when it’s fixed; then plot that time against the number of incidents attributed to that known vulnerability. I call that the ‘I told you so’ metric. It works every time.
Tenable Network Security recently sponsored a Mighty Guides publication on Using Security Metrics to Drive Action. This e-book is a compilation of thoughtful essays from 33 experts to help you communicate your security program’s effectiveness to business executives and your board. Their first-hand experiences are insightful and offer best practices that you can implement in your own organization.
Marcus J. Ranum, Senior Strategist at Tenable Network Security, is a world-renowned expert on security system design and implementation. Since the late 1980’s, he has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR’s Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC “Clue” award for service to the security community, and also holds the ISSA lifetime achievement award. In 2005 he was awarded Security Professional of the Year by Techno Security Conference.
Tenable Network Security transforms security technology for the business needs of tomorrow through comprehensive solutions that provide continuous visibility and critical context, enabling decisive actions to protect your organization. Tenable eliminates blind spots, prioritizes threats, and reduces exposure and loss. With more than one million users and more than 20,000 enterprise customers worldwide, organizations trust Tenable for proven security innovation. Tenable’s customers range from Fortune Global 500 companies, to the Department of Defense, to mid-sized and small businesses in all sectors, including finance, government, healthcare, higher education, retail and energy. Transform security with Tenable, the creators of Nessus® and leaders in continuous monitoring, by visiting tenable.com.