The methodology is data-driven, using an organization’s existing sources of security data to set parameters that give stakeholders a clear alert when their business objectives are at risk. The idea of course is to enable enterprises and other entities to determine their overall risk posture, but also to proactively address security risks before they impact their business. When threats or incidents impact stakeholder objectives, IT departments want to quickly identify the source of the risk to make timely decisions on how to address the threat.
It can also assist regulatory compliance with better incident reporting, and can identify trends in threats and vulnerabilities that may affect compliance specifically.
Most organizations today are not able to this with existing resources, and suffer from an inherent lack of visibility into key security data—even though the Ponemon Institute found in a survey last year that 75% of respondents indicated that metrics are “important” or “very important” to a risk-based security program.
“Security risks are getting harder for organizations to navigate, and point-solution defenses are no match for the adversaries,” said Arthur Wong, senior vice president and general manager, Enterprise Security Services, HP, in a statement. “By aligning information-security data with stakeholder business objectives, HP Security Metrics Services help transform organizations to a consistent, measurable and proactive security posture to make informed risk decisions and justify security spending.”
There’s the well-documented disconnect between C-level and executive staff and the security department when it comes to the impact and value of security on the business as a whole. In the Ponemon survey, half of the respondents (51%) said that they didn’t believe or are unsure that their organizations’ metrics adequately convey the effectiveness of security risk management efforts to senior executives. In addition, 53% of respondents don’t believe or are unsure that the security metrics used in their organizations are properly aligned with business objectives.
Further, when asked the obvious question of why they didn’t create metrics that could be well-understood by senior executives, 59% of security personnel polled said the information is too technical to be understood by non-technical management in any form, and 35% said it just takes too much time and resource to prepare and report metrics to the non-technical set.
HP is hoping to take this on directly with the new approach.
“We wanted to create a framework that could be used for communicating the value of security to the organization, and to help the information security staff to both justify their actions and their budget requests,” said Richard Archdeacon of the CTO’s office, lead for information security strategy for HP Enterprise Security Services, in an interview. “We’ve really wanted to connect the dots between business objectives and security.”
Those business goals depend on the organization of course, but market growth, cost reduction and geographic expansion are common themes.
The new HP Security Metrics Services uses a framework that links IT assets to 34 identified key risk components, so that organizations can prioritize their business objectives and processes and correlate them to threats, vulnerabilities and incidents. These components are underpinned by a predefined library of security data sources, which specifies how the data is gathered and used to provide ongoing business-related risk information.
Using this framework, changes in risk indicators will alert stakeholders to see which risk component category has triggered the change. Once the category has been identified, stakeholders can drill down into the associated higher-level reporting, trending, information dashboard and data layers to investigate causes of the changed risk-indicator status.
HP Security Metrics Services also leverage the HP Executive Scorecard software application to display critical business objectives in a user-friendly dashboard. This allows for at-a-glance security incident alerts that enable users quickly to obtain additional detail, including processes and assets prioritized by their risk status.
Archdeacon gave an example of a utility company that HP has been working with for the last couple of years. The organization had as part of its strategy a cost-reduction program, so it could bring in innovative new solutions to get closer to customers and build better customer applications. Part of that meant moving processes and infrastructure to the cloud, but because utilities are regulated industries, that created significant compliance requirements. So, the security team was tasked with making sure that both technical and compliance vulnerabilities were addressed. And the quicker it was able to do that, the more effective the cost reduction.
HP worked with the company to develop a framework, applying key performance indicators or KPIs (HP has around 200 of them) to each part of the initiative Crucially, it took a consultative approach to get the parties talking across the enterprise.
“The security function has evolved there because we have a framework to point to,” Archdeacon said. “We can then go to a structured conversation with the C-level.”
HP brought in a consulting practice and interviewed department heads from the head of IT to the CMO. It also carried out workshops to adequately explain how the security team was demonstrating regulatory compliance, and greater customer engagement from the new technology approaches the utility was able to put into place thanks to the cost reductions.
“This company’s security activity is no longer measured just by technical fixes but how the actions related to the core strategic objectives,” Archdeacon said.