Metrics: Valuable security indicator or noise?
by Dwayne Melancon - CTO at Tripwire - Thursday, 18 July 2013.
Many organizations believe that IT, and by association IT security, is a wasted expense. They recognize that the financial investment needs to be made but few truly understand what they’re rubber-stamping, and even less believe they’ll see a return on this outlay. But it doesn’t have to be this way. How can security support revenue growth and profitability? The secret is metrics.

Metrics: More than numbers

By definition, metrics are ‘parameters or measures of quantitative assessment used for measurement, comparison or to track performance or production.’

When it comes to an organization’s network infrastructure, and even its security, metrics are a powerful indicator of how well, or badly, the enterprise is at responding to a given situation.

The reason many organizations fall short when using metrics is miss-communication. IT will often deliver reports detailing user access, permission structures and patch management timetables when justifying additional budgets.

A request for extra storage is made under the guise of gigabytes, terabytes and petabytes. Even orders for desktop computers, tablets and smartphones are complicated by a myriad of confusing acronyms and abbreviations.

While on the surface it all sounds plausible, and perhaps vitally important, what does it actually mean? The reality is, not a lot. Instead, of blindly accepting the proposal, CEOs need to demand comprehensible reports from the IT team, framed against the mission of the organization.

False flags

Let’s start by looking at one metric that is often tracked, but has little relevance as a management metric - the cost of the security program. In reality there is little correlation between cost and security. For example, if I halved the security budget would I be half as secure? Or equally if I doubled the budget would I be twice as secure? Of course not - infosecurity doesn’t work like that, unfortunately.

Security is not just the remit of the CISO but is a team effort. Any decisions need to be made with a cross-functional view – senior management, business units, sales, marketing, legal, customer support etc. so that everyone knows the part they play, and IT understand how to weave all the disparate elements together.

Mission-based geek

As an illustration, a large US retailer defines its CISO’s mission as:
  • Insure our site is available to our customers when they want to shop
  • Insure that our customers feel safe and secure as they shop with us
  • Insure that our customers' information is safe with us at all times
  • Insure that we satisfy the necessary legal, regulatory or internal requirements so that we remain a viable business.
With clarity, the executive team are able to ask the CISO for metrics framed against these objectives. With each passing month IT’s results offer intelligence as to how well the infrastructure and other areas of the business are performing to support the mission, highlighting inadequacies and allowing adjustments to be made.

The unrealistic goal

Many executive teams set their CISO up for failure – setting the ‘mission’ as zero breaches. In the real world, things will happen, vulnerabilities will be exploited, and the organization may suffer a breach in spite of their best efforts. With ‘zero breaches’ as the target, your CISO will either fail or resign first.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th