Getting started with measuring security
So, now that we’ve talked about why you would do security metrics in the first place, I’m going to go into a little bit of how you would get started. And this for me was a little bit of struggle. When I started a few years ago I looked for books in the area, I looked for talks in the area. Even as of last year, in the MetriCon Conference we discovered that various security organizations that had been polled – really, none were very good at security metrics yet. A lot of people had not started and in fact could not justify spending valuable resources on measuring security. I believe they thought: “Why would you spend money on measuring security? Why not spend money on doing the security?” – which is something that we’re talking about here with regards to making the most efficient use of a security program.
And I also think that sometimes, with the compliance environment that we have, in some cases it’s very complex, so you’ve got a lot of responsibilities that you’re doing to try and stay in compliance with the law. We also have complexities coming from the number of different security technologies that we have deployed, so I think it’s easy to start with the security technology and take a look at the metrics that may have been built in by that vendor.
Today I’m actually going to propose a different approach, and it’s going to kind of start with some questions. Ideally, I would love to sit here and tell you that, in terms of doing security metrics, there are 5 security metrics, and if you just follow these 5 steps – you know, everyone can do it, exactly the same, and you’ll do great. Unfortunately, that’s not the way it works. I believe that security metrics for any security program and for any organization is going to be unique depending on the type of business you’re in, the objectives of the business strategy that you’re in, the different compliance environment that you’re in.
Focus on targets for improvement
And so the first thing to do when you’re getting started is, really, to zero in on those targets for improvement. I think in this area it’s very easy to get lost and overwhelmed very quickly, there’s a lot of stuff that goes on security, there’re a lot of different things that we could choose to measure. But what I propose for a good way to start is to really narrow in on one or two or three target areas to focus on. And shortly we’ll talk about how to do that.
Set clear goals
The next step is to set clear goals for what you want to accomplish. One of the ideas that I think is very applicable here is the Smart Metric System: so, to ensure that your metrics are specific, that they’re measurable, that they’re actionable, that they’re reasonable, and that they’re time-based.
Measure and report your progress
And then, the final step as you begin along your metrics project once you’ve established the baseline – you know, you’ve figured out what your goals are going to be and you start marching toward those goals – is to continuously and consistently measure and report your progress. And here I’d like to talk about an example of running a marathon. I chose to run a marathon in 2008, and it was something that I had never done before; in fact, in my life I had only run 7 miles at a stretch. And a marathon is 26.2 miles. The marathon that I signed up for was in June, and I started training in February, so I had a very specific, measurable, actionable, reasonable, and time-based goal. I really wanted to learn, in the span of a few months, how to run 26.2 miles without stopping.
I think it’s something that we can sort of take into our security practice, something that’s kind of physical and easy to understand; but it really drives home that point of setting a clear goal with a specific time frame – you know, going from 7 miles to 26.2 in a few months. And then along the way, training appropriately, checking in: for me it was checking in with my running team, checking in with my coaches to make sure that my progress was reasonable, to be able to correct any errors – you know, if I discovered along the way, for example, that my running form was poor and it was effecting my knees. Similarly, when you proceed along a security metrics project you may start going and you may identify that there’re some issues maybe with the process that you’re trying to work in or with the technology. And so, as you sort of go along the way, checking in periodically with stakeholders to make sure that you’re on the right track and to adjust expectations to ensure they consistently stay reasonable. So, that’s how we start.
Choosing the area to zero in on
We also talked a little bit about how you choose the right area to focus on. So here I’d like to present some questions about where you should begin, so that it’s not such an overwhelming “Well, I could pick this data point or this data point, and measure this or that,” but rather to sort of start off knowing that you are in a very unique situation and figure out for your specific situation what the best security metrics for you to pursue are going to be. And some of these questions include:
- What’s important to your security program as well as to your business?
- What’s broken and needs fixing that you could perhaps measure to see what the current state of the situation is, as well as consistently measure as you’re getting better at it?
- What’s basic? You know, what would people expect to see in place? What has been in the news lately that somebody is going to be asking you about as a security expert that you’ll want to have a good answer to?
- And also, maybe if you’ve got all these bases covered – what’s new? You know, what are you working on for the first time? What are you newly developing or creating?
We’ll go ahead and start with what’s important. Three of the areas that we’re going to talk about here are compliance, which is extremely important for some organizations – a lot more, for example, in the financial industry; risk – I think that for all security professionals risk is important; as well as how to enable your business. These are things that, if you were to go talk to the CEO of your company, the chief risk officer, the chief financial officer, these are things that are going to be top of mind, and these are also therefore good targets for focusing your information security metrics program.
So, in terms of compliance – you know, gathering metrics to determine if your organization is at a posture where you’re going to pass or fail the next audit. Gathering security metrics in that area might be able to help you tell a story around what’s going on.
As far as risk is concerned – what do you believe are those high profile areas of risk? How well are they protected? How important are they to the business? And how can you build security metrics to tell a story around those?
And also, business enablers – what are the critical information assets at your organization? Who is responsible for managing those assets? What’s the lifecycle of those assets? And, you know, the answers to these questions will differ from security program to security program and from organization to organization, but they are just a few questions to help you get started.