CISOs can measure information security by applying smart and varied metrics that can help in efficiently securing the enterprise
CI0s and senior IT decision makers have a clear mandate to lay down parameters to measure the return on investments on every technology that they deploy. And in line with the mandate, CISOs find it important to monitor and measure information security in terms of validating, directing and justifying the security objectives set by them.
Why Monitor and Measure Security?
Sunil Varkey, Chief Information Security Officer, Wipro Technologies, points out that it is critical to validate previous decisions, baselines/bench marking that are set to prove a point--that the security is supporting the business objectives, priorities and strategic vision of the company.
Monitoring gives strict direction to activities in order to meet the set target and it is critical to justify with factual evidence or proof that a course of action is required.
“It is also important to intervene in order to identify a point of intervention including subsequent changes made and corrective actions taken to ensure strategic support is meeting quality assurance needs,” says Varkey.
“Measurable metrics can be applied to the data that is collected and which is accurate and complete, while actionable metrics can be applied to understand the data and action taken on it” Sunil Varkey, CISO, Wipro Technologies.
CISOs Should Understand Breach Discovery Methods
A periodic survey is recommended to get insights into breach discovery methods and their sources which would help in gauging and analysing breach trends. For instance, Varkey points out that about 69 per cent of the incidents were discovered by a third party as per the survey done internally, and about 9 per cent of the breaches were found by customers. Around 50 per cent of the breaches identified internally were spotted by end users rather than the IT team.
Building a Smart Metrics
Quite similar to any other goal setting standards and measuring them, information security tools fall under the smart metrics around functions: specific, measurable, achievable, relevant and timely. What does that mean? From a security stand point, Varkey states that the specific targeted area should be measured, not a by-product or result, and aligned with business goals.
Varkey points out, “Measurable metrics can be applied to the data collected and that which is accurate and complete, while actionable metrics can be applied to understand the data and action taken on it.”
The timeliness factor comes in when the data is available whenever there is a demand--its relevancy is measured by the criticality of data.
How to Build Metrics using 7 Steps
Varkey recommends seven steps to build the required metrics in the information security space, based on the objectives such as indentifying data, stating the vision, aligning with strategy, setting tactical goals and working with operational goals.
- Defining what security data needs to be measured
- Defining what can be measured
- Process of gathering the data
- How to use tools to analyse the data
- Presenting the analysed data in an appropriate format and using the information to??? the relevant situation
- Implementing the corrective action
Besides building metrics, Varkey recommends having a clear strategy to apply appropriate metrics to it. For instance, it would include implementation metrics, efficiency metrics, effectiveness metrics and impact metrics.
How do you Define Malware Metrics?
Malware metrics is another way of measuring malware attacks: it takes stock of the incidents, percentage of assets affected in the infrastructure, affecting operations and efficiency by way of assessing malware detected in real time versus scheduled scans and a number of items that are infected within the stipulated time.
Data sources are a critical component of malware metrics which can help detect and measure malware attacks. They would include Proxy, e-mail, DNS, firewall, IDS/IPS, asset vulnerability data and AD.
Creating the Metric Development Template
Varkey argues that it is crucial to create a template that can help in measuring security effectively.
CISOs need to create a metric ID and unique ID
Under the metric ID, key aspects need to be included such as goal, measure, type, formula, target, implementation evidence, frequency, responsible parties, data source and reporting format and so on.
The unique ID will comprise a statement of a strategic goal, statement of measure in percentage, number, average etc., implementation/effectiveness, efficiency/impact. Other aspects would understand the threshold for a satisfactory rating for the measure, implementation evidence to compute the metric, validate performance, and identify probable causes of unsatisfactory results. Indication of how often the data is collected,analysed and reported and spelling out the ownership around data, information around who is gathering data and who is the customer also are key aspects. Location of data to be used in calculating the metric and indication of how the metric will be reported falls under unique ID requirements.
Challenges in Building Effective Metrics
Most CISOs face challenges when initiating measuring techniques. These may be due to lack of management commitment, measuring too much and too soon, measuring too little or too late, measuring wrong data, imprecise metrics definitions and so on.
Varkey points, “Critical challenges would be because of using metrics data to evaluate individuals, using metrics to motivate rather than understand, collect data that is not used or lack of communication and training that would result in insufficient measuring of security.”