The document discusses examples of security metrics and reports that can be used to measure the effectiveness of a security program and communicate progress to stakeholders. It provides examples of operational reports that include metrics on information security audit issues, antivirus coverage, patching status, and vulnerability management. It also shows examples of executive discussions on risk metrics and program maturity. The document advises applying the examples by identifying the audience and their concerns, determining accountability for metrics, starting with some initial metrics and improving over time, and developing a package of reports for senior leadership within six months.
The Measure of Success: Security Metrics to Tell Your Story
1. PANELISTS:
SESSION ID:
#RSAC
MODERATOR:
GRC-R04
Wendy Frank
Principal, Advisory, Cybersecurity, Privacy
& Risk, PwC
Julie Bernard
Principal – Cyber Risk Services
Deloitte
@juliein10A
Lisa Lee, CRISC, CISA, IAM
IT Examiner
Office of the Comptroller of the Currency
@lisainmiami
The Measure of Success:
Security Metrics to Tell Your
Story
2. #RSAC
How to Tell Your Story
2
Audience
What Good Looks Like
Responsibility and Accountability
Data Availability
Single Source of Truth & Repeatability
“As Is” State
Frequency
4. #RSAC
Operational Report Examples
4
75
64%
12
10%
7
6%
3
3%
6
5%
14
12% US
EMEA
Canada
Japan
Hong Kong
Latin America
Active Info Sec Audit Issues
by Country/Region
0
20
40
60
80
100
120
140
Near Close
Business
Issues
Significant
Bus. Issues
Information Security Audit Issues
Overdue Audit Issues Trends in Info Sec Audit
Issues
0
5
10
15
20
25
Near Close
Bus Issue
Significan Bus
Issue
7. #RSAC
Operational Report Examples
7
Patching Status for all Workstations
Data gathered 10 days after release of patche and at the end of the month
326 330
295
313
272
318 328 340
278
319 331
350
21 16
52 28
50
16
24 12
69
28 14
2
54 55 54 61
74 66
55 55 61 63 61 55
1 1 3 3 8 4 0 0 2 0 3 2
4/ 24/ 09 4/ 30/ 09 5/ 22/ 09 5/ 29/ 09 6/ 22/ 09 6/ 30/ 09 7/ 24/ 09 7/ 31/ 09 8/ 21/ 09 8/ 31/ 09 9/ 18/ 09 9/ 29/ 09
Patched with Critical Patches M issing Critical Patches Patching Not Required Patching Deferred
8. #RSAC
Operational Report Examples
8
Patch Management Risk by Platform*
0
1
2
3
4
5
6
7
8
9
Jan Feb March April May June
Microsoft
Servers
VM
Ware
NetApp
Cisco
Checkpoint
Apple iOS
ATMs
Microsoft
Servers
VM
Ware NetApp Cisco Checkpoint Apple iOS ATMs
GREEN
(0-3) 0.00% 2.34%
YELLOW
(4-7) 5.32% 4.40% 7.25%
RED
(8-10 7.98%
*Data is not actual
20. #RSAC
Board Reports - Measures
20
Current threats to business
Security program strategy
Key trends in cybersecurity
Performance against goals &
objectives
Exposure to key 3rd parties
Spending vs. priorities
Meeting internal standards
Security initiatives supporting
business objectives
Management/staff experience
Tracking key projects
22. #RSAC
22
Next week you should:
Identify your audience, their concerns/values, and their language
Determine responsibility and accountability
Define the metrics that are important to your organization
Start somewhere and improve as needed
Applying These Examples
23. #RSAC
23
In the first month following this presentation you should:
Agree on what “Good” looks like
Determine data sources, availability, and repeatability
Develop the metrics, KPIs, and KRIs that best align with your
objectives
Within six months you should:
Design a package of reports for senior committees and the board
Determine reporting frequency
Applying These Examples (cont’d.)