Security Metrics Can Make or Break a Security Program; How to Present to the Board
By Roota Almeida
Head of Information Security – Delta Dental of NJ and CT
CISOs are often in a situation where the CEO or a Board member asks them, “Just how secure are we?” Or “Are we secure enough?”
These questions sound simple, but are quite difficult to answer accurately. The quick answer to the question would be, “We are more secure today than we were before and are constantly striving to be better and one step ahead of the bad guys.”
However, an answer like this may stave off other questions it will not paint a complete picture. It will not show the efforts involved in trying to be a step ahead of the attackers. In today’s world no one can assure 100% protection. It’s not a matter of “if you will be breached, but when you will be breached?” Prevention is critical. However, focusing on faster and better detection and mitigation is equally and sometimes even more important.
A key component when moving forward in a security program and then presenting to the Board is to tie security initiatives to the company’s overall business goals and subsequent initiatives. If the goal is to expand the business and garner more clients, a CISO should focus on building a security program that meets these needs while reducing risks and mitigating threats.
Shifting the way security is perceived to that of supporting and enabling the company’s objectives is crucial for today’s CISOs. Security needs to move from a cost center to a business enabler. Being successful in portraying this will provide CISOs the support and partnership needed to build a successful Security Program. Talking the language of business is what will get you there! Security metrics, which are more granular, should be a part of other business metrics that matter in making business decisions.
A definitive strategy for a successful Security Program consists of four parts:
- What are the company (Boards) objectives
- How does the CISO further these objectives
- Where was the security program in relation to these objective until now
- Based on the current threats and associated risks what is our strategy going forward
Security metrics are increasingly important in defining such a strategy. These metrics will give insight into the current threats and how your current efforts are panning out. When making decisions and relaying overall imperatives to the board it is key to choose the appropriate metrics to generate and communicate.
Metrics that will help give you paint a complete picture and make better decisions, not just in security but also across business units. Security metrics should be SMART (Specific, Measurable, Achievable, Relevant and Time-bound), similar to your goals. SMART Metrics=SMART Goals.
The Return on Investment (ROI) approach used in traditional financial metrics generally does not apply to security-related initiatives. Security is about risk management, threat mitigation and loss prevention. It’s not a conventional investment that will result in direct profit though it can enable business. For a CISO, the way to calculate ROI on a Security Investment is by calculating how much loss was avoided due to your investment. It’s risk-based security.
Security Metrics will be helpful when they are:
- Repeatable: A repeatable metric is something that is easy to gather and can be updated on a regular basis. It’s important to note that gathering metrics comes with a cost, similar to any other initiative in security. Suitable and repeatable metrics that leverage automation show important information that should be tracked over time.
- Know the Audience: Boards will be more interested in knowing how the security programs impact the business and that the business’s critical assets (proprietary information, their reputation etc.) are being protected.
Metrics should help the audience in decision making and not just tracking. It should enable its audience to actually take action and do something to move forward the aim of the business. Similar to any successful project implementation, one should start with gathering requirements and then working on achieving and tracking them.
- Tangible: The challenge with security metrics is to create tangible and accurate results especially for the effectiveness of Risk and Governance controls; such as policy and process implementation. It’s critical to create metrics that can be described using numbers. Starting with a high, medium, or low is okay as long as you can further refine it, to be tangible.
- Quality over quantity: There isn’t a fixed number of metrics that is necessary but often in this scenario ‘less is more.’ It’s best you achieve maximum value from your current metrics before adding new ones.
Defining a metrics program goals and objectives will help in developing the right strategies for generating these metrics. One can use several specific metrics like the following:
- Metrics showing how much potentially malicious content is being blocked or detected early enough to minimize damage. E.g. Number of potentially malicious sites blocked, potentially malicious emails blocked, and number of viruses blocked etc.
- Malicious content that is undetected and passes through the defenses resulting in an incident, not necessarily a breach and what is being done to improve in that area.
- Security incident metrics that were acted upon by the Security Incident Response Team to contain and resolve. Time spent on mitigating threats will help determine the ROI of the investment.
If you do have qualitative measurements that are inaccurate or might not add value skip them. The goal is to create accurate metrics whether it’s for the effectiveness of processes or policies or for security awareness trainings to support the business.