Hi, my name is Caroline Wong. And today I’m going to be talking about a beginner’s guide to security metrics. I currently manage the security program at Zynga Inc., and I was formerly the Chief of Staff for the Global Information Security Team at eBay, where I developed eBay’s security metrics program from the ground up. I’m currently also involved in industry initiatives having to do with metrics definitions, including working with the Cloud Security Alliance Metrics Working Group, as well as the Center for Internet Security.
The talk that I’m presenting today is a talk that I wish that I had been able to see when I had started my metrics program. So today it’s going to be very practical how-to advice and some lessons learned from someone who’s been there before.
Why measure security?
So, what we’re going to start with today is why you would measure security in the first place, what some of the benefits to measuring security are. I’ll talk about how to get started with some easy steps, and I’ll also give you some advice and lessons learned from things that, if I could do it again, I might have done differently.
The first topic we’ll begin with today is: why measure security? What are some of the benefits to implementing a robust security metrics program?
Optimizing the use of resources
First of all, we’ve got limited resources. I think that any of us in the information security industry can agree that we never have as many resources as we’d like in order to do all of the work that we need to do. Dan Gear once said brilliantly that in order for a security attacker to be effective they only need to find one exploit and perform one attack that works. However on the protection side, as information security professionals we are tasked with the job of protecting against all the attacks that are possible across the spectrum. And so in order to be most effective, we’ve got to consider the limited headcount and budget and resources that we have to spend on the information security program and use those resources as wisely as possible. So security metrics, basically, help to measure the effectiveness of your security program activities in order to get the most bang for your buck.
Getting more outcomes-oriented
One benefit of security metrics that I want to talk about is figuring out what’s happening, some of that insight and that visibility into a security program. So much of the work that we do in security is very practice-oriented: you know, perform vulnerability scans, perform assessments. We are very-very practice-oriented, and what I like about security metrics is it sort of forces us to become more outcomes-oriented – what are the results of the work that we’re doing?
For example, I mentioned vulnerability scanning; I think that this is a great example of a security activity that a lot of organizations perform on a regular basis, we all know that it’s a good thing to do, hopefully we’re all doing it regularly. But if you kind of bring security metrics into the mix, then you can start to look at the fact that there’s a difference between performing vulnerability scans and identifying how many of those vulnerabilities have actually been remediated and fixed. So if you think about bringing security metrics into the practices that you’re doing and examining some of those outcomes, then maybe your focus begins to shift from what’s the work that you’re doing – to what are the outcomes; and whether you are really focusing your resources on the right thing. So in this case we’re talking about spending resources on finding vulnerabilities; we’re also talking about maybe a shift to using resources to fixing those vulnerabilities. I think that with security metrics and defining security metrics’ goals, it enables us to be much more exact and much more crisp about the work that we want to be doing.
Gathering data for efficient decision-making
Another benefit to doing security metrics is being able to gather data in order to make and also to justify better decision-making. The question that I ask when trying to do security metrics about decisions is: how do you know that the work that you’re doing is right? We’ve talked a little bit about a lot of best practices and a lot of security activities, but security metrics really pull that focus to what’s the outcome. From a strategic perspective, security metrics can help you decide how to spend your resources, what your resources should be working on, as well as operationally – you know, what those resources should really spend their time doing. So, again, how are you investing your security program and what are the results that you are getting out of it?
I have an idea that decisions that you make with regards to a security program actually ought to be different if you are using security metrics, because I think that’s the difference between being blind to data that exists or being able to see that data. And if it’s useful data, then I believe that your decisions ought to be different than what they would have been. I think that it would be silly to collect information about something that you already know. I think that’s a waste of resources, and hopefully the targets that you identify for your security metrics program provide you with data so that you can make different and better decisions.
Another benefit to security metrics is getting better. I was talking with Andy Jaquith the other day, who is a big thought leader in this area; and Andy and I were talking about benefits of security metrics, and one of the ones that he brought up was getting people off the couch: how do you use some sort of sense of competition or accomplishing a goal in order to drive people to do better. I believe that you can always do better from what you’re doing today. Hopefully today we’re doing better than we did yesterday, and hopefully we’re setting things up in a way that we’ll be doing even better tomorrow. I think that when it comes to security metrics it’s very important to be honest with yourself about where you are, and also be reasonable about where you believe you can go and in what sort of a time period.
Another piece of getting better is not only within a security team or security function, but rather than that this idea can extend throughout an organization to the stakeholders and the sponsors of the information security program. Establishing a security metrics program can help to create and establish a lexicon with these different sponsors and stakeholders so that when you go around doing your information security work talking about it, people have a better understanding of what you’re trying to accomplish. As information security professionals, we are the experts in this area. We also have a responsibility to explain the work that we’re doing and why we’re doing it to others.