Infosecurity professionals are being challenged to justify the need for investment in security programs and resources. Why? Because organizations struggle to understand how to measure the return on investment. This often results in employing point technologies without considering the complexity of integrating into existing systems, or relying on traditional security controls that are out of date and processes that have not adapted to the changing threat landscape.
A more drastic approach often relies on organizations only deciding to invest in comprehensive security programs after they have encountered an incident, assuming that complying with industry standard regulations will be enough in the first place.
Common examples of metrics
Security teams often find it easier to measure risk by following a compliance and audit checklist, however this misconception fails to not only consider the constant nuances of regulations and their requirements of businesses but the advancements of cyber-threats.
A business solely scoring its risk management based on compliance criteria is like a person driving in the fog – you may be able to see the general direction of where you are on the road but it won’t be clear what threats actually lie ahead of you. General Data Protection Regulation (GDPR) is a good example of a regulation that is on everyone’s lips at the moment with its imminent arrival hitting organizations, governments and institutions around the world in 2018.
It should be no surprise that these standards do not go into detail about the specific security controls or technologies that should be used, because they are not meant to be a ‘how to’ guide to resilient security.
More quantitative measurements such as Time to Respond (measuring the speed to respond) and False Positive Reporting Rate (validating that threats they are detecting are real threats) can be seen as logical methods, albeit rather technical, which is often difficult for executive management to comprehend and can end up being undersold on the real value of these controls.
On top of this, security programs need to include people and processes as well, which means not just taking the metrics from an operational perspective but from an awareness and governance perspective too.
Taking a risk-based approach
Accurately measuring the effectiveness of security initiatives requires security experts to extensively assess the risk profile of their organization’s entire IT infrastructure. This means identifying the immediate risks and their impact to key business operations, implementing the relevant controls and processes to remediate them and putting in place a robust governance framework along with agile security operations to continuously manage, and reducing the organization’s risk profile to an acceptable level.
Using this risk-based approach allows an organization’s initial level of security efficacy to be measured, where using metrics such as risk heat mapping or benchmarking against industry best practice are a good starting point. As part of a robust risk management program, regular checks and assessments on the entire IT infrastructure can flag any new risks.
However, they can also highlight any practices or controls that have been put in place since the last assessment, and have been effective in reducing the level or risk in a certain area.
This does not mean that organizations shouldn’t use more technical metrics and follow compliance and audit checklists though. On the contrary, there is a reason these exist and they shouldn’t be ignored. These metrics, however, need to be used by the relevant teams, in a coordinated fashion and form part of the risk monitoring methods that have been agreed upon based on their risk management roadmap.
Communication is key
In order for the whole business to be completely aligned with the effectiveness of security programs, the communications of metrics need to be tailored to the various stakeholders within the organization. This means providing related but different views to practitioners, IT managers, business managers and senior leaders.
Part of this means agreeing on the business success criteria at the planning stages of a security program. If this has not been carried out already, it is vital that all stakeholder representatives get together to set these expectations.
Being able to bridge these gaps not only ensures a common understanding from all levels but also allows cross-functional collaboration. For example, making sure that human resources are aligning security with their business needs so that every welcome pack for new recruits also includes up-to-date security policies or embedding security SLAs when vendor management are in contracts talks with an outsourced IT provider.
To summarize, there are numerous ways to measure security efficacy, but focusing solely on technical metrics or compliance standards won’t allow a common understanding of an organization’s security posture.
Using a risk-based approach to security can help the decision makers of the business to measure the return on investment of their security programs. It can also ensure that each level of the business understands where priorities lie in terms of risk and what resilient cybersecurity initiatives need to be in place to enable the business to meet its digital transformation goals.