Security oversight: The big picture view of security 2018
On an almost daily basis, organizations from around the world suffer information security breaches. These breaches cost billions of dollars annually and are a lucrative opportunity for cyber criminals. This risk is universal, with large, mature organizations that employ big security teams often being just as susceptible as smaller organizations. While many companies implement an information security program to protect against these risks, one key aspect is often lacking: effective business metrics to measure and oversee their security posture.
It is common for security teams to work reactively by running from vulnerability to vulnerability, plugging holes wherever they can, but this reactive method hinders the “big picture view” that is required to ensure long-term security of the organization. With an ever evolving threat landscape and increasing compliance requirements, this big picture is now more important than ever. One clear example of this is the Singapore Cybersecurity Bill due to be introduced in 2018, which will hold both organizations and individuals responsible for taking appropriate actions to manage enterprise information security, making a comprehensive overview an invaluable asset.
Organizations of all sizes need to be doing more to regularly review their security as a whole. This includes understanding where they’re being targeted, which controls are failing, where the next attack is likely to come from and to what extent their resources are being distributed in accordance with real-time risk exposure. The key to achieving this lies in the creation and monitoring of a comprehensive set of lean, change-instigating security metrics.
The seven elements of lean, change-instigating metrics to monitor your security posture
To mature your existing security reporting into a comprehensive set of insightful security metrics you must first understand the relative reliance your organization has on each security control domain. This can be achieved by leveraging your asset inventory, threat assessment and risk register to map these to your adopted information security control framework (e.g. ISO 27001 Annex A or NIST Cyber Security Framework). This enables you to understand both the inherent and residual risk exposure levels for each of the security control domains, such as access management, supplier security and incident management. Once you have this view of critical and ‘not-as-critical’ security control domains that you are distributing resources towards, you’ll be able to allocate effort in creating and monitoring metrics accordingly across each domain.
When it comes to developing the metrics for each of these domains, the following seven elements are critical for success:
- Actionable: Consider what action would be taken if the metric was reported at an extreme level. If nothing significant is likely to be changed as a result of a sudden change in the metric then it’s probably a waste of time to collect, analyze and present in the first place. The more drastic the action that will be taken as a result of a sudden change in the metric, the better the metric is in this way.
- Meaningful: It is critical to be able to link the metric back to the relevant business goal and measure the impact on the goal using the insight the metric brings. For example, the organization might have experienced three Distributed Denial of Service (DDoS) incidents last year and one so far this year, but is that good or bad? Why does it matter at all to the organization? A mechanism to grade/score/adopt thresholds can be useful to help frame this. For example, one DDoS incident might require a thorough review from operational management (amber rating), but any further DDoS incidents may require senior management involvement to remediate the root cause (red rating).
- Audience: Consider the recipients of each metric, and separate the audiences based on the action each individual would take if the metric was a certain level (for example, red, amber or green). Establishing metric thresholds for notifying specific individuals can be helpful in this case.
- Genuine: It’s all too tempting to portray the best possible picture to external stakeholders, but don’t be afraid to publish bad news. Stakeholders will often see through fabricated numbers, and if there are very few changes as a result of reviewing the metrics then the buy-in for creating and consuming them will quickly diminish.
- Big picture: Use aggregated data to provide the whole picture, as providing unnecessary detail will both bore and distract. It is also important for the metrics to tell a comprehensive story of your risk exposure, as otherwise there will be blind spots that aren’t being managed appropriately, and these could ultimately be your organization’s point of compromise.
- Cost-effective: Carefully consider the costs and benefits of each metric, and ensure no time is wasted (for example, by leveraging existing data as much as possible). Some of the leanest organizations spend only 15 minutes updating their entire catalogue of security metrics. To conduct a cost-benefit analysis, map out the potential actions that would be taken after each metric result together with the effort involved in producing it to establish how cost-effective it is.
- Timely: Consider the action that should be taken when the metric changes and how long the delay could be before that action is ineffective. For example, if there are already processes in place that will mean an action gets taken before the review of the metric takes place then the metric is not timely.
Below are some examples of metrics for clarification purposes only:
- How do you know that staff continue to act in a secure manner and that the human control is effective? This could be achieved by continually measuring how many security incidents are being caused by lack of employee security awareness month on month.
- How do you ensure your risk exposure represented by your vulnerability management program isn’t excessive? You could collect and trend the total risk exposure level associated with known infrastructure and application vulnerabilities month on month.
- How do you know if you need to react to a changing insider threat level? You could monitor how many Data Loss Prevention (DLP) events from staff there are month on month.
In summary, whether you are establishing new metrics or reviewing your existing ones, undertaking a comprehensive risk-based approach and analyzing each of the seven elements listed above (you could even give each metric a score against them) will enable your organization to truly manage its information security risk exposure to achieve long-term success.
NCC Group’s Risk Management & Governance consultants are experienced in the creation of security metrics, and conversant with many information security and risk frameworks such as ISO 27004, ISO31000, ISO27001 and the Information Security Forum’s Information Risk Assessment Methodology (IRAM).
Published date:  26 January 2018
Written by:  Patrick McCloskey