Data breach headlines can become the newest tools for chief security officers negotiating budgets. However, this approach to justifying the investment in security is not sustainable. At some point the CFO will demand quantitative evidence to justify additional spending in the security program, or to evaluate the return on previous investments.
In many organizations, security is just part of the broader IT function, appearing as a line item in the overall budget. But unlike other IT investments – such as high-end servers or automation software – it is difficult for a CSO to demonstrate the ROI of security measures. Often in IT, managers can point to faster compute systems, reduced help-desk ticket times and better network speeds as evidence of the value created by their spending, but information security does not lend itself to comparable ROI metrics.
To achieve this, CSOs should manage a dashboard that presents evidence of the effectiveness of their security management systems. In other words, they should be able to illustrate the success of their organization's comprehensive information security profile.
CSOs should manage a dashboard that presents evidence of the effectiveness of their security management systems.
Establish a performance management system: Identify key performance indicators (KPIs) for your security program. The goal here is to find easy-to-measure metrics that act as a proxy for the strength of your program and strategic objectives for information security. For example, if one of your defined goals is to ensure the protection of sensitive information in storage and in transit, then KPIs for this objective could include: the percentage of sensitive communication channels with data-in-transit encryption; the percentage of databases storing sensitive information with privilege access management systems; and percentage of former employees that have their access privileges revoked 24 hours after termination.
Refine security event reporting: Implementing a SIEM [security incident and event management] system is a great way to capture key security metrics, as it can give you an aggregated view of the critical activity on your network. However, if your SIEM system fails to report on events on your network that are critical to your security strategy, the investment is called into question. On the other end of the spectrum, achieving 100 percent network coverage on your SIEM tool can be an expensive proposition and the volume of events flagged by the system may eventually desensitize your operations team. For efficiency, your security strategy should call for isolating data sources that are important to your protection objectives.
Measure response and resolution times: CSOs can demonstrate the value of their controls by measuring and reporting the response and resolution times of incidents captured by their SIEM system. It may be more efficient to restrict response time measurement to incidents that affect mission-critical resources rather that tracking every incident that crosses the network.
Audit for improvement: An audit can be effective when used to review the success of the three recommendations identified above. Use periodic audits to capture KPIs, review incident reports and measure response and resolution times. These should essentially drive targeted improvements and help focus your investments on improving your security program.
As more internal and external stakeholders take interest in an organization's security profile, CSOs must be able to present a quantitative model that measures the effectiveness of their controls. With the aid of tangible metrics, security professionals can elevate information security from a dark art that is understood by few, to a critical component of executive and board-level planning.
Francis Ofungwu is director, network security services at Unisys.