Information Security Metric Program
Why is Information Security Metric Program Important in an Organization?
These days we are witnessing an increasing number of cyber security incidents across all industry domains. No industry can claim that they are not vulnerable to cyber security incidents. Board of directors and senior management are to be educating themselves on their organization's risk exposure to these cyber-related issues. Management team and Board members are seeking a better understanding of the potential for cyber security initiative to enhance their organization's strategic operations. Board members should be asking many questions on Security environment of the organization such as, "How secure are we from a particular thereat? How secure is our organization data? Etc., Security professionals needs to be able to answer these questions and help board members understand that cyber security does not control the threat landscape facing the Organization.
Information Security leaders must understand and embrace metrics as critical tools to tell their story about value. There is no specific template for what should be measured with metrics; every company’s business environment is different. In an Organization it is very easy to collect tones of metrics data from security devices. Collection of security metrics data needs to be relevant, using the metrics to explain how the security services support the organization and its objectives.
What is Information Security Metrics?
Security metrics are referring to objective measurements that tell us about our current level of safety and show us how to achieve our security and business goals. Good metrics facilitate discussion, insight, and analysis. Most important thing to remember is not all metrics are good and not all metrics are bad either. Organization needs to find the right metrics which will help improve the organization security program to achieve organization goals. The implementation of security metrics is one way of measuring the effectiveness of a company’s security program.
What to consider before generating or collecting security metrics
There is no specific template for what should be measured with security metrics, every Organizations business environment is different. I would recommend, however, that metrics be reported to senior leadership including board of directors. Metrics should have a narrative, metrics should be able to explain how the cyber security services support organization strategic objectives.
What is the purpose of metrics?
Metrics should support a business goal. Connecting metrics to the business will help to prioritize resources more efficiently.
Is the metrics controllable?
For metrics to have worth, they must demonstrate that specific goals are being met. So, metrics should measure processes and outcomes that the team controls.
How trustworthy is your data?
The data used to create a metric should have a high level of accuracy, precision and reliability.
Is it easy to process and analyze?
The data should be collected, processed and posted to a central collection point. It should not take a long time to prepare and report your metrics. For example, if metrics are used in a weekly report, it should take two to three days to collect, process and post the received
Security Metrics should be SMART
The key to effective metrics is to use a set of criteria to determine which of the nearly infinite number of metrics candidates are the most suitable. Good metrics should contain SMART:
- Specific: Based on a clearly understood goal; clear and concise
- Measurable: able to be measured; quantifiable
- Attainable: Realistic; based on important goals and values
- Relevant: Directly related to a specific activity or goals and values
- Timely: grounded in a specific time frame
The metrics for security will be valuable and meaningful if they produce proven or quantifiable data, like results in percentages or averages. Another thing to remember is that the metrics should be within the reach of recurring processes.
- Accurate: A reasonable degree of accuracy is generally adequate.
- Cost effective: The measurements cannot be too expensive to acquire or maintain
- Repeatable: The measure must be able to be acquired reliably over time
- Predictive: Measurements should be indicative of outcomes
- Actionable: It should be clear to the recipient what action must be taken
What to include in Security metrics.
Following are some suggestions/guidance on what to include in Security metrics. Much of the data you require can probably be gathered from existing sources within corporate environment. Following list is an sample list includes some tools that are likely to provide metrics data
- Governance, Risk and Compliance Management
- Exception” tracking and documentation
- Configuration compliance tracking
- Firewall/switch audit data
- Patching levels
- Regulatory control compliance
- Penetration of systems
- SIEM (Security information and event management)
- Anti-Virus/Anti-Malware
- Intrusion Detection/Prevention
- Anti-SPAM filter
- Vulnerability Management Data
- Internal and external vulnerabilities data
- Vulnerability by severity (Criticality or priority) rating
- Vulnerability aging data
- Patch Management
- Application Security Scanners
- Red Team Exercise
- Web Application Firewalls
- Secure Web Gateway/Web proxy
- Configuration Hardening
- Network Access Control
- Unified Threat Management
- Whole Disk Encryption
- Data Leakage Protection
In addition to the above metric sources I would highly recommend looking at the security processes metrics.
- Change Management
- Identity Access Management
- Incident Response
- Security Awareness Training
- Disaster Recover and Business Continuity
- Help Desk
The above recommendations help security leaders identify data and services to build the metrics they need. It is important to remember that the businesses environment will influence what data is collected to form these metrics. These metrics also will be dependent on the technologies deployed as part of the security platform; security controls and contracts for security services provided to the company.
In Conclusion
Many substantial benefits can be derived from initiating a security metrics program. At the onset it requires only a meager investment comprised mostly of the time spent planning, gathering data and producing each report. This makes a security metrics program an intriguing project, especially in economically challenging times when funding can be tricky to secure. If you remain focused on satisfying the business needs of the consumer, and follow the basic guidelines presented here, you can have a positive impact on the performance of your organization. Furthermore, by equipping management and board of directors with objective measurements you are demonstrating the increased maturity of your security program and the likelihood of its success. Of course, all the items mentioned above would need to be driven and accepted by the organization. If the items above don’t meet the SMART criteria, they should be tabled until the company can accurately and meaningfully measure the component.
