SlideShare una empresa de Scribd logo

Metrics & Reporting - A Failure in Communication

Chris Ross
Chris Ross

Wisegate recently conducted a research initiative to assess the current state of security risks and controls in business today. One of the key takeaways? A concerning lack of metrics and reporting on the subject. While CISOs claim to be improving corporate security all the time, there is little ability to measure that success. In this Drill-Down report, Wisegate uncovers where most organizations stand when it comes to metrics and reporting, and how it is affecting their businesses on the whole.

Tecnología
1 de 12
Descargar para leer sin conexión
22
Metrics & Reporting 2 CONTENTS Metrics and Reporting ............................................................................................................. 3   The Problem Measured........................................................................................................... 4   Is This Important? ................................................................................................................... 5   ‘Communication is What the Receiver Does’ .......................................................................... 6   What IT/Security is Doing........................................................................................................ 7   The Danger in Poor Communication..................................................................................... 10   What is IT/Security Doing About this Lack of Communication? ............................................ 10   What Should IT/Security Be Doing?...................................................................................... 11   © 2014 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.
a Failure in Communication 3 In June of 2014, Wisegate conducted a member-driven research initiative designed to assess the current state of security risks and controls in business today. Assessing IT Security Risks addresses many of the top takeaways from this survey. This document is the first in a series of reports designed to look more closely at four specific issues highlighted by that survey. » Metrics and reporting » Malware and data breaches » Data-centric security » Automation and orchestration Metrics and Reporting This document might have just as easily been titled, ‘The Lack of Metrics’. It is highlighted in a simple conclusion reached in Assessing IT Security Risks: “Overall, [security] teams were optimistic but not overwhelmingly confident.”
Metrics & Reporting 4 On the surface, this statement appears to hide a contradiction: how can someone be genuinely optimistic without being simultaneously confident? That apparent contradiction hides a potentially widespread problem in information security: CISOs are always improving their company security; there is little ability, however, to measure that success (or indeed, lack of it). Without having the metrics of success or failure, security teams can be optimistic in what they are doing—but cannot ultimately be confident in its effect. This problem is then compounded. Metrics form the basis of business-level reporting, and without those metrics IT struggles to effectively communicate security issues to Business. The Problem Measured Participants in this survey were asked, ‘do you have metrics in place to track your top three risks?’ (see Figure 1). Overall, 50% do not have metrics. …the real problem with security risk management in the enterprise isn’t of confidence—it’s of measurement; survey respondents don’t really have a good way of indicating the effectiveness (or lack thereof) of existing programs. —Assessing and Managing IT Security Risks Figure 1: Survey Question: Do you have a metric to measure the risk in your top three areas of concerns? Source: Wisegate June 2014
a Failure in Communication 5 The problem is that there is a general acceptance that all three top risks are growing—more than 80% of participants believe that major risks are increasing in their industry (see Figure 2). [Note: These three ‘top risks’ are non-specific—they are whatever the participant considered to be his or her personal top three risks. Overall, the top three risks are malware, data breaches and outsider threat.] Figure 2: Survey Question: Which risks are growing for your specific company and industry? Source: Wisegate June 2014 What this means, in effect, is that IT cannot accurately communicate an increasing security risk to Business; and Business cannot accurately understand that security risk and its possible impact on the business. Is This Important? This lack of communication is very important, for three particular reasons: » Real security cannot be achieved without full Business buy-in. » Business is likely to become suddenly very keen on understanding security following the recent prosecution of FedEx in what can be seen as an extension of the ‘failure to prevent’ theory. “This bodes ill not only for corporations that fail to prevent criminal activity, but for corporate compliance officers whose programs,
Metrics & Reporting 6 when scrutinized under the glare of 20-20 hindsight, may be found deficient.”1 It is possible that within a relatively short period, individual board members could be held legally liable for security failures. » Boards are being urged by the National Association of Corporate Directors to be more proactive in information security. The reality is that possibly for the first time, corporate boardrooms are taking cyber security seriously. The continuous flow of news of major security breaches in major companies is having an effect. Boards are asking: » How does our security stack up? » How do we compare with other companies in our sector? Without adequate security metrics to answer those questions in the language that Business understands, IT/Security will miss a major opportunity. ‘Communication is What the Receiver Does’ It is a tenet of communication that you have to listen. There are signs that Business is ready to listen. In July 2014 the National Association of Corporate Directors published a new handbook for its members: Cyber-Risk Oversight2 . Its advice to directors is organized around five key principles: 1. Directors need to understand and approach cyber security as an enterprise-wide risk management issue, not just an IT issue. 2. Directors should understand the legal implications of cyber-risks as they relate to their company's specific circumstances. 3. Boards should have adequate access to cyber security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. 4. Directors should set the expectation that management will establish an enterprise- wide, cyber-risk management framework with adequate staffing and budget. 5. Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach. 1 The Rise of 'Failure to Prevent' Crimes and CCO Liability; New York Law Journal (27 October 2014): http://newyorklawjournal.com/id=1202674374593 2 Cyber-Risk Oversight Handbook (free to NACD members): http://www.nacdonline.org/cyber
a Failure in Communication 7 That last point highlights the need for discussion between IT/Security and the board. When the handbook was first published, Internet Security Alliance President Larry Clinton commented, "Most business leaders do not spend a lot of time talking about ISO standards and NIST framework. They talk about things like profitability, growth, innovation product development, price-to-earnings ratios. This publication, perhaps for the first time, attempts to put cybersecurity squarely within that business context." But while Business might be ready to listen, there remains a difficulty for IT/Security to speak in a language that it understands. What IT/Security is Doing IT/Security is taking a risk-based approach to defending systems; but it currently lacks the means to report the risk status to boards and internal business partners. “CISOs are measuring tactical things,” explains the Assessing IT Security Risks lead author, Bill Burns. “What metrics exist are events-driven: how much classified data was blocked from leaving the system; how many malware hits were stopped at the firewall or by the AV software. But there exists a huge disconnect between such activity-based metrics and rolling them up into ‘what is the impact of our security programs on the business’.” The problem, he suggests, is that there remains a tool-centric rather than risk-centric view of security—and the tools that are available rarely provide metrics that can be combined into an overall metrics-based company risk report suitable for delivery to the board. This leads to a failure of communication between IT/Security and Business—which is, says Burns, a major challenge for IT/Security. To a large degree this basic problem is a natural result of the security product market, which comprises a wide range of distinct point products. The natural desire to use a ‘best of breeds’ approach (that is, to use the best available solution for each separate risk) doesn’t lend itself to seamless security metrics. The extent of the problem can be seen in Figures 3 to 6, taken from the survey. The diversity of different products expected to be used in the next 3-5 years makes seamless and cohesive reporting across the whole security discipline difficult to achieve—and almost impossible in a format suitable to present to business management. This is unlikely to change within the next five years.
Metrics & Reporting 8 Figure 3: Survey Question: Which endpoint-targeted security controls will be a top- priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014 Figure 4: Survey Question: Which mobility / IoT security control will be most important to your company in the next 3-5 years? Source: Wisegate, June 2014
a Failure in Communication 9 Figure 5: Survey Question: Which of these Messaging, File/Doc Sharing controls will be a top priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014 Figure 6: Survey Question: Stack-rank these Infrastructure controls by which will be a top priority to you in the next 3-5 years. Source: Wisegate, June 2014
Metrics & Reporting 10 This volume of different products makes communicating strengths and weaknesses in the corporate security profile in relation to business impact a difficult proposition. “Although this sounds harsh,” comments Burns, “it results in a failure of the security teams to communicate in business terms, and for business people to understand security. There’s a business gap—and it’s one of the biggest challenges I see for Security.” The Danger in Poor Communication The two primary dangers of poor communications are: » A continuing disconnect between Business and Security, leading to underfunding and weak policy implementation » A Business concentration on the one set of industry-wide metrics already available: compliance checklists Many security teams already believe they suffer from the first, and many more will increasingly come up against the latter. “I think we are finally at the point, with so many large scale breaches,” explains Burns, “that Business is taking Security seriously. Boards are ready to listen if we can learn their language to speak to them. What they want to know is, ‘are we doing everything we should be doing; and are we doing what our peers are doing?’” It is that latter point that leads Business to concentrate on compliance-based security. If the only metrics available are the compliance regulations, then conforming strictly to those requirements serves two purposes: firstly it provides a defense against any possible ‘failure to prevent’ legal challenges; and secondly it provides a likely ‘peer comparison’ point. Most security professionals do not believe that conforming to a compliance checklist provides the best possible security. However, unless Security can develop its own metrics and reporting, Business will inevitably increasingly rely on compliance instead—possibly to detriment of real security. What is IT/Security Doing About this Lack of Communication? IT/Security readily acknowledges that communication is a problem. “People accept that this is a problem, and talk about it,” comments Burns. “But not one of the survey participants could say, ‘I cracked the nut—this is what you have to do to communicate successfully.’”
a Failure in Communication 11 It is a subject that frequently occurs in Wisegate roundtable discussions. For example, in a recent Wisegate Live Research call, one CISO with a large financial firm noted: “The higher you go, the more you need to be able to talk about business drivers in business language that business can understand. The thing that works best seems to be stories and analogies—they seem to be the best way to share information with the more senior individuals in your business.” —“What are the soft skills required for a career in IT and security?” Roundtable Talking, however, is not reporting, and stories are not metrics. The reality is that IT/Security mostly does little more than talk about the problem of metrics and reporting. What Should IT/Security Be Doing? The survey shows that IT/Security suffers from a lack of adequate metrics. This translates into poor communication between IT/Security and Business. In the short term this can be improved by IT/Security aggregating security point solutions to provide a seamless holistic risk rating; and then creating the metrics to demonstrate the impact of security on business. In the longer term, the problem provides an opportunity for security users and security vendors. As the move towards the adoption of security as a service (SaaS) solutions gathers pace, security teams can start to insist on the provision of usable metrics as part of the partner agreement.
Metrics & Reporting 12 PHONE 512.763.0555 EMAIL info@wisegateit.com www.wisegateit.com Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.

Recomendados

Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
Chris Ross
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
Abhishek Sood
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
FireEye, Inc.
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
Kim Jensen
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseData security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
The Economist Media Businesses
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
Luke Farrell
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
Michael Solomon
 

Recomendados

Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
Chris Ross
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
Abhishek Sood
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
FireEye, Inc.
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
Kim Jensen
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseData security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
The Economist Media Businesses
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
Luke Farrell
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
Michael Solomon
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
Accenture Insurance
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security Risks
Constantin Cocioaba
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study
Tam Nguyen
 
Prof m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalProf m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - final
SelectedPresentations
 
Research Paper
Research PaperResearch Paper
Research Paper
Brian Kasha
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
Accenture Banking Security Index
Accenture Banking Security IndexAccenture Banking Security Index
Accenture Banking Security Index
accenture
 
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Citrix Online
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
IBM India Smarter Computing
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
Hiten Sethi
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive Level
Koen Maris
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
Steve Knapp
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
Andréanne Clarke
 
2015 IA survey - Protiviti
2015 IA survey - Protiviti2015 IA survey - Protiviti
2015 IA survey - Protiviti
Simone Luca Giargia
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
Tripwire
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
Jack Nichelson
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
jpubal
 

Más contenido relacionado

La actualidad más candente

SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security Risks
Constantin Cocioaba
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study
Tam Nguyen
 
Prof m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalProf m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - final
SelectedPresentations
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive Level
Koen Maris
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
Steve Knapp
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 

La actualidad más candente (18)

SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security Risks
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study
 
Prof m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalProf m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - final
 
Research Paper
Research PaperResearch Paper
Research Paper
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
Accenture Banking Security Index
Accenture Banking Security IndexAccenture Banking Security Index
Accenture Banking Security Index
 
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive Level
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
 
2015 IA survey - Protiviti
2015 IA survey - Protiviti2015 IA survey - Protiviti
2015 IA survey - Protiviti
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
 

Destacado

Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
Tripwire
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
Tripwire
 
Scorecards, Learning Metrics and Measurement Strategies
Scorecards, Learning Metrics and Measurement StrategiesScorecards, Learning Metrics and Measurement Strategies
Scorecards, Learning Metrics and Measurement Strategies
Human Capital Media
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 

Destacado (9)

Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
 
Scorecards, Learning Metrics and Measurement Strategies
Scorecards, Learning Metrics and Measurement StrategiesScorecards, Learning Metrics and Measurement Strategies
Scorecards, Learning Metrics and Measurement Strategies
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 

Similar a Metrics & Reporting - A Failure in Communication

Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
Livingstone Advisory
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge Training
Tory Quinton
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
Jeremiah Grossman
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
nooralmousa
 

Similar a Metrics & Reporting - A Failure in Communication (20)

Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdf
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Cybersecurity report-vol-8
Cybersecurity report-vol-8Cybersecurity report-vol-8
Cybersecurity report-vol-8
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metrics
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and Eskins
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
 
Websense
WebsenseWebsense
Websense
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge Training
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 

Más de Chris Ross

Hello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft SkillsHello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft Skills
Chris Ross
 
Maximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next StepsMaximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next Steps
Chris Ross
 
What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401
Chris Ross
 

Más de Chris Ross (7)

Malware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatMalware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest Threat
 
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
 
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
 
Hello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft SkillsHello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft Skills
 
Maximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next StepsMaximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next Steps
 
What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401
 
5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should Know5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should Know
 

Último

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Metrics & Reporting - A Failure in Communication

  • 1. 22
  • 2. Metrics & Reporting 2 CONTENTS Metrics and Reporting ............................................................................................................. 3   The Problem Measured........................................................................................................... 4   Is This Important? ................................................................................................................... 5   ‘Communication is What the Receiver Does’ .......................................................................... 6   What IT/Security is Doing........................................................................................................ 7   The Danger in Poor Communication..................................................................................... 10   What is IT/Security Doing About this Lack of Communication? ............................................ 10   What Should IT/Security Be Doing?...................................................................................... 11   © 2014 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.
  • 3. a Failure in Communication 3 In June of 2014, Wisegate conducted a member-driven research initiative designed to assess the current state of security risks and controls in business today. Assessing IT Security Risks addresses many of the top takeaways from this survey. This document is the first in a series of reports designed to look more closely at four specific issues highlighted by that survey. » Metrics and reporting » Malware and data breaches » Data-centric security » Automation and orchestration Metrics and Reporting This document might have just as easily been titled, ‘The Lack of Metrics’. It is highlighted in a simple conclusion reached in Assessing IT Security Risks: “Overall, [security] teams were optimistic but not overwhelmingly confident.”
  • 4. Metrics & Reporting 4 On the surface, this statement appears to hide a contradiction: how can someone be genuinely optimistic without being simultaneously confident? That apparent contradiction hides a potentially widespread problem in information security: CISOs are always improving their company security; there is little ability, however, to measure that success (or indeed, lack of it). Without having the metrics of success or failure, security teams can be optimistic in what they are doing—but cannot ultimately be confident in its effect. This problem is then compounded. Metrics form the basis of business-level reporting, and without those metrics IT struggles to effectively communicate security issues to Business. The Problem Measured Participants in this survey were asked, ‘do you have metrics in place to track your top three risks?’ (see Figure 1). Overall, 50% do not have metrics. …the real problem with security risk management in the enterprise isn’t of confidence—it’s of measurement; survey respondents don’t really have a good way of indicating the effectiveness (or lack thereof) of existing programs. —Assessing and Managing IT Security Risks Figure 1: Survey Question: Do you have a metric to measure the risk in your top three areas of concerns? Source: Wisegate June 2014
  • 5. a Failure in Communication 5 The problem is that there is a general acceptance that all three top risks are growing—more than 80% of participants believe that major risks are increasing in their industry (see Figure 2). [Note: These three ‘top risks’ are non-specific—they are whatever the participant considered to be his or her personal top three risks. Overall, the top three risks are malware, data breaches and outsider threat.] Figure 2: Survey Question: Which risks are growing for your specific company and industry? Source: Wisegate June 2014 What this means, in effect, is that IT cannot accurately communicate an increasing security risk to Business; and Business cannot accurately understand that security risk and its possible impact on the business. Is This Important? This lack of communication is very important, for three particular reasons: » Real security cannot be achieved without full Business buy-in. » Business is likely to become suddenly very keen on understanding security following the recent prosecution of FedEx in what can be seen as an extension of the ‘failure to prevent’ theory. “This bodes ill not only for corporations that fail to prevent criminal activity, but for corporate compliance officers whose programs,
  • 6. Metrics & Reporting 6 when scrutinized under the glare of 20-20 hindsight, may be found deficient.”1 It is possible that within a relatively short period, individual board members could be held legally liable for security failures. » Boards are being urged by the National Association of Corporate Directors to be more proactive in information security. The reality is that possibly for the first time, corporate boardrooms are taking cyber security seriously. The continuous flow of news of major security breaches in major companies is having an effect. Boards are asking: » How does our security stack up? » How do we compare with other companies in our sector? Without adequate security metrics to answer those questions in the language that Business understands, IT/Security will miss a major opportunity. ‘Communication is What the Receiver Does’ It is a tenet of communication that you have to listen. There are signs that Business is ready to listen. In July 2014 the National Association of Corporate Directors published a new handbook for its members: Cyber-Risk Oversight2 . Its advice to directors is organized around five key principles: 1. Directors need to understand and approach cyber security as an enterprise-wide risk management issue, not just an IT issue. 2. Directors should understand the legal implications of cyber-risks as they relate to their company's specific circumstances. 3. Boards should have adequate access to cyber security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. 4. Directors should set the expectation that management will establish an enterprise- wide, cyber-risk management framework with adequate staffing and budget. 5. Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach. 1 The Rise of 'Failure to Prevent' Crimes and CCO Liability; New York Law Journal (27 October 2014): http://newyorklawjournal.com/id=1202674374593 2 Cyber-Risk Oversight Handbook (free to NACD members): http://www.nacdonline.org/cyber
  • 7. a Failure in Communication 7 That last point highlights the need for discussion between IT/Security and the board. When the handbook was first published, Internet Security Alliance President Larry Clinton commented, "Most business leaders do not spend a lot of time talking about ISO standards and NIST framework. They talk about things like profitability, growth, innovation product development, price-to-earnings ratios. This publication, perhaps for the first time, attempts to put cybersecurity squarely within that business context." But while Business might be ready to listen, there remains a difficulty for IT/Security to speak in a language that it understands. What IT/Security is Doing IT/Security is taking a risk-based approach to defending systems; but it currently lacks the means to report the risk status to boards and internal business partners. “CISOs are measuring tactical things,” explains the Assessing IT Security Risks lead author, Bill Burns. “What metrics exist are events-driven: how much classified data was blocked from leaving the system; how many malware hits were stopped at the firewall or by the AV software. But there exists a huge disconnect between such activity-based metrics and rolling them up into ‘what is the impact of our security programs on the business’.” The problem, he suggests, is that there remains a tool-centric rather than risk-centric view of security—and the tools that are available rarely provide metrics that can be combined into an overall metrics-based company risk report suitable for delivery to the board. This leads to a failure of communication between IT/Security and Business—which is, says Burns, a major challenge for IT/Security. To a large degree this basic problem is a natural result of the security product market, which comprises a wide range of distinct point products. The natural desire to use a ‘best of breeds’ approach (that is, to use the best available solution for each separate risk) doesn’t lend itself to seamless security metrics. The extent of the problem can be seen in Figures 3 to 6, taken from the survey. The diversity of different products expected to be used in the next 3-5 years makes seamless and cohesive reporting across the whole security discipline difficult to achieve—and almost impossible in a format suitable to present to business management. This is unlikely to change within the next five years.
  • 8. Metrics & Reporting 8 Figure 3: Survey Question: Which endpoint-targeted security controls will be a top- priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014 Figure 4: Survey Question: Which mobility / IoT security control will be most important to your company in the next 3-5 years? Source: Wisegate, June 2014
  • 9. a Failure in Communication 9 Figure 5: Survey Question: Which of these Messaging, File/Doc Sharing controls will be a top priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014 Figure 6: Survey Question: Stack-rank these Infrastructure controls by which will be a top priority to you in the next 3-5 years. Source: Wisegate, June 2014
  • 10. Metrics & Reporting 10 This volume of different products makes communicating strengths and weaknesses in the corporate security profile in relation to business impact a difficult proposition. “Although this sounds harsh,” comments Burns, “it results in a failure of the security teams to communicate in business terms, and for business people to understand security. There’s a business gap—and it’s one of the biggest challenges I see for Security.” The Danger in Poor Communication The two primary dangers of poor communications are: » A continuing disconnect between Business and Security, leading to underfunding and weak policy implementation » A Business concentration on the one set of industry-wide metrics already available: compliance checklists Many security teams already believe they suffer from the first, and many more will increasingly come up against the latter. “I think we are finally at the point, with so many large scale breaches,” explains Burns, “that Business is taking Security seriously. Boards are ready to listen if we can learn their language to speak to them. What they want to know is, ‘are we doing everything we should be doing; and are we doing what our peers are doing?’” It is that latter point that leads Business to concentrate on compliance-based security. If the only metrics available are the compliance regulations, then conforming strictly to those requirements serves two purposes: firstly it provides a defense against any possible ‘failure to prevent’ legal challenges; and secondly it provides a likely ‘peer comparison’ point. Most security professionals do not believe that conforming to a compliance checklist provides the best possible security. However, unless Security can develop its own metrics and reporting, Business will inevitably increasingly rely on compliance instead—possibly to detriment of real security. What is IT/Security Doing About this Lack of Communication? IT/Security readily acknowledges that communication is a problem. “People accept that this is a problem, and talk about it,” comments Burns. “But not one of the survey participants could say, ‘I cracked the nut—this is what you have to do to communicate successfully.’”
  • 11. a Failure in Communication 11 It is a subject that frequently occurs in Wisegate roundtable discussions. For example, in a recent Wisegate Live Research call, one CISO with a large financial firm noted: “The higher you go, the more you need to be able to talk about business drivers in business language that business can understand. The thing that works best seems to be stories and analogies—they seem to be the best way to share information with the more senior individuals in your business.” —“What are the soft skills required for a career in IT and security?” Roundtable Talking, however, is not reporting, and stories are not metrics. The reality is that IT/Security mostly does little more than talk about the problem of metrics and reporting. What Should IT/Security Be Doing? The survey shows that IT/Security suffers from a lack of adequate metrics. This translates into poor communication between IT/Security and Business. In the short term this can be improved by IT/Security aggregating security point solutions to provide a seamless holistic risk rating; and then creating the metrics to demonstrate the impact of security on business. In the longer term, the problem provides an opportunity for security users and security vendors. As the move towards the adoption of security as a service (SaaS) solutions gathers pace, security teams can start to insist on the provision of usable metrics as part of the partner agreement.
  • 12. Metrics & Reporting 12 PHONE 512.763.0555 EMAIL info@wisegateit.com www.wisegateit.com Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.