Why Security Metrics Miss the Mark- Valutrics
Are we secure? How well is security being managed? Are we on track towards mitigating any outstanding risks to data? Have we had any security incidents? Each of these are metrics on which we can set some measurable objectives. The following sets of data may measure them.
– Results of network vulnerability testing. Regular testing of external IP ranges provides an excellent view of security status. Security issues are quickly identified and can be just as quickly remediated. Any outstanding issues can be reflected in the metrics. I use red, green, or yellow depending on the status for each part of the business. I’ve found that the threat of a red mark on a management report is incentive enough to spur local teams into action if nothing else is going to work!
– Statistics relating to deployment of patches. This is a measure of how well security is being managed. I’m looking at how successful local teams are at deploying critical patches to desktops and servers. In an environment with hundreds of desktops I’d rarely expect 100% deployment, but 95% should be achieveable in a timely manner.
– Project plan status. I have a project plan for security delegated to each security manager across the business, varying depending upon risk mitigation tasks we’ve identified relevant to their location. Tracking the status of these plans provides another metric for guaging security management and risk mitigation status.
– Number of security incidents. Hopefully none at all but a useful section to have on the report, showing what happened, where, and what the consequences were.
A majority of IT security executives are only somewhat confident in their enterprise’s security, according to a new survey. One-third of respondents are confident in their security posture and one-quarter said they communicate effectively about security metrics and posture to senior management. These executives continue to rely mainly on quantitative metrics aimed at preventing breaches. “With security spending continuing to skyrocket, it’s more important than ever to be able to report on metrics that matter, not just quantitative metrics like counting breaches,” said Ed Hammersla, president, Raytheon|Websense, “To be more confident, we need to shift our thinking to metrics such as dwell time, or reducing the time the threat is in our network, which reduces damage and helps strengthen our overall security posture.” The main take away: intruders can do more damage the longer they poke around and move laterally within a network. If an organization limits the time a threat exists, it will minimize damage. The study, “Why Executives Lack Security Posture of Confidence,” was conducted by Raytheon and included 100 responses from American IT security executives.