Recently, I came upon a blog post on TechRepublic titled, “Why security metrics aren’t helping prevent data loss,” which explores why data losses continue to increase despite the introduction of security metrics to help achieve information security goals.
The TechRepublic post cites some key findings from a large-scale survey on “The State of Risk-Based Security Management” conducted by the Ponemon Institute. The results indicate that:
- The vast majority of respondents agree that metrics are “very important” (about 50%) or “important” (about 30%) in “achieving a mature, risk-based security management process.”
- However, more than 50% of respondents said no or were unsure when asked whether their security metrics aligned with business objectives.
- More than 50% of respondents said they were not effective in “communicating all relevant facts about the state of security risk to senior executives.”
- When asked why they felt metrics weren’t aligned with business objectives, 50% or more of respondents felt that 1) the information is too technical for non-technical management to understand; and/or 2) More pressing departmental issues take precedence over security metrics discussions.
The report concluded that security professionals must “find or create metrics that are more broadly understood by business leaders,” and do a better job communicating about them. A little fine-tuning is often all that’s required to create useful metrics that are well aligned with IT security goals and can drive action towards continuous improvement.
The ISO 27001 standard requires that metrics be in place to measure the effectiveness of security controls. Pivot Point Security helps many businesses achieve ISO 27001 certification, so we work closely with clients to help them get their metrics right.
In my experience, almost every client is excited to finally have metrics in place to help them manage security risk. But even so, they frequently struggle to define the right metrics the first time around. After one audit cycle, most of our clients end up redefining at least a few of the metrics that were initially established for ISO 27001 certification. This is often because they encounter operational problems like those mentioned above; i.e., the metrics are too technical to communicate to management or too complex to gather and report in the limited time security professionals have in their schedules.
The good news is that our clients appreciate their metrics even more “the second time around.” Usually they’re able to resolve their operational challenges and leverage metrics effectively by simplifying the process.
How do you go about fine-tuning security metrics? Here are some of the resources that I’ve found useful:
- Security Metrics: Replacing Fear, Uncertainty, and Doubt by Andrew Jaquith. This book is specifically geared to help you define, create and utilize security metrics based on your unique requirements. It will help you decide what metrics to use, and how to analyze and visualize them to facilitate communication with business executives.
- ISO 27004 Information security management — Measurement. This standard offers step-by-step instructions for designing and reporting security metrics.
- COBIT 5 for Information Security. This security-specific framework provides guidance on metrics, including examples of metrics for IT security controls.
If you’re looking for help with creating security metrics, or with getting current metrics to work better for you, Pivot Point Security is here to help with strategy, implementation and operations regarding your Information Security Management System (ISMS), Security Event Management (SEM) and other initiatives.