When you think of security metrics, what's the first thing that pops into your mind? OK, after you yawn, what's the first thing? While security metrics themselves may not exude excitement, what if your metrics quickly revealed just the type of information you need that leads to a decision or action that helps solve a business problem? That would be exciting!
This should be the goal of any metrics program: incite the reader to action, whether that's acknowledgement that the controls you have in place are working, broken and need attention, or if there is truly a red alert flashing in the background.
This lofty goal isn't magical, nor mythical, and is most certainly achievable. How? By communicating information in a format your audience understands and which is meaningful to them specifically. Metrics should be relevant to your audience and actionable at the same time. For instance, operations teams might be keenly interested in the top current exploits or number of blocked malware requests in a given month, but the management team, not to mention the board, wants to focus on risk posture and trend analysis. They're not interested in the number of patches applied last week, only whether or not patching those systems decreased risk, improved uptime, and contributed to the business running smoothly so it can increase the bottom line. It's tricky and not just a matter of gathering statistics, so where do you start?
A first step is to understand what security teams should be measuring. Your first metrics goal should be to show the value of your information security program. An easy way to accomplish this is to monitor how well your controls are currently working. Begin with your controls framework (e.g., ISO 27001, NIST, FFIEC) and look for areas you already measure. One of the keys to ramping up a metrics program is to utilize data that is already being measured. Trying to start from the end result (i.e., picking the metrics you want) will just frustrate you; you'll spend all of your time seeking data that doesn't exist. Instead, find the highest priority controls then map them to the consequences of them working or not. In other words, what's the impact on the organization when they work, and what's the impact when they do not?
Let's take an easy example: anti-virus. Every organization has it and every anti-virus tool produces data on how many pieces of malware were found and stopped during time period X. That information is well and good, but the real question is: what do you want to say about anti-virus? How did these malware pieces get into your network in the first place? Learning this will take a little more digging, but the answer will have big implications to the business.
But wait! Didn't I just write that you should use accessible data so you don't spend all of your time up front hunting down more data? Yes, but every metrics program starts with a baseline. Look at what you have then ask what the data is telling you. Keep the big picture in mind: the effect on the business. When you dig deeper, you will find that you may need multiple sources to truly understand 1) what is going on and 2) if the control in question is really working as expected. This is not easy but it's absolutely worth the effort. Once you have that, keep the initial metric for yourself (a.k.a. your team) and then find the juicy stuff and show executive management what's really going on with business risk.
Developing an effective and actionable metrics program is an evolution. The first metrics you produce won't necessarily be the ones that support the business fully, but the important thing is to start somewhere. Think about what might be valuable to different areas of the business, work up some metrics, and then solicit feedback. What is important to them? How do they prefer to consume metrics: a spreadsheet, a pretty graph? Refine your metrics as you receive this feedback and evolve as business needs change. Each audience will be different, and you don't want them mired in the details: keep your message simple and relevant. If what you are presenting matters to your audience, you'll keep them from yawning, too, which will help you grow your metrics program, making it more beneficial to the business each step of the way!
About the author: Kristy Westphal, versatile information technology professional of 22 years with specific experience in providing advisory and management services in the area of information security and risk is currently employed as the Director, Risk and Assurance with Vantiv. Kristy will be leading an interactive roundtable on Metrics That Mean Something (aside from pretty graphs) at InfoSec World 2016.