Operations

4/3/2018
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Security Measures That Can Actually Be Measured

The massive budgets devoted to cybersecurity need to come with better metrics.

Why is so much of technology security such a mystery? In particular, why does it have so few metrics?

I get it. For any given company, if there hasn't been a breach lately, it's assumed that defenses must be working. But shouldn't there be better measurements of effectiveness? Some level of business accountability? A basic ROI calculation?

Consider the size of the security budget: Gartner projects that global spending on information security products and services will exceed $93 billion in 2018 alone, and that number keeps growing. Last year, we saw the seventh continuous year of security budget increases, with a combined annual growth rate of 6% from 2010 to 2013, and 11% from 2014 to 2017.

Let's bring up the bottom line here. Cybersecurity is not an IT issue. It's a business conversation. In fact, it's a business priority.

As a retired Major General of the U.S. Air Force with three decades of experience leading large-scale efforts to defend global networks, I've been at the intersection of big budgets and serious dangers to infrastructure security. I understand the complex and always-expanding challenges that security chiefs face. There are always new technologies featuring strange vulnerabilities, evolving threat vectors, and emerging cybercriminal operations with sophisticated tactics.

However, this doesn't mean that cybersecurity initiatives should get a pass on the standards that every other department must meet. And for a long time, they've enjoyed exactly that freedom.

Sure, most organizations do make efforts to measure cybersecurity effectiveness, but not in terms of how it benefits the business. The SMI benchmark survey, which consulted 400 global business and security executives, found that 58% of respondents scored a "failing grade" when evaluating their organization's efforts to measure their cybersecurity investments and performance against best practices.

Unlocking the Mysteries of Cybersecurity
Somehow, cybersecurity investments are seldom seen as business decisions. Rather, they are viewed as a kind of mysterious black box with contents that are a deeply held secret. Don't ask too many questions, because it might jinx the process.  

So, what's the answer here? How do we measure cybersecurity effectiveness like every other metrics-driven business unit? When I was CIO at US Transportation Command, I established an oversight committee to evaluate the business impact and risks associated with cybersecurity investments. The channel of communication from the security operations center to the CISO to the boardroom had a major impact.  

Most organizations still don't apply business-related, risk-based metrics to their cybersecurity efforts. Those that do often measure the wrong things — for example, things that can't be validated or represent only a snapshot in time. The key question to ask is: "Are we measuring the validity, value, and effectiveness of our cybersecurity controls?"

Traditional models of measuring cybersecurity effectiveness are siloed and fragmented; cybersecurity measures are managed across separate enterprise channels, and important data is underutilized. Cybersecurity for business needs to be holistic and intelligent while delivering actionable insights, so that resources are focused and prioritized based on associated risk.

For example, IT and networking shops have countless management layers in order to perform synthetic transactions, run Internet Control Message Protocol (ICMP), and answer questions about their environment: "Is my network up? Is it fast?" Capacity planning predicts how much disk space, CPU, and RAM is required based on trends. Why don't we have processes like these for cybersecurity? Specifically, what are the technologies and processes we can implement to position cybersecurity as a metrics-driven business unit? I offer three possibilities.

Possibility 1: Elevate Security to the Highest Levels
Let executives from the boardroom on down be directly involved in management, with all the accountability that requires. The primary question is: "Are we acting appropriately regarding cybersecurity for our customers and our shareholders?"

An enterprise cannot determine how much risk to avoid, accept, mitigate, or transfer (via cyber insurance) without actionable metrics backed by empirical data. This happens when a CISO can compare and trend both subjective security data (such as internal assessments) and objective data points (such as automated monitoring). By contrast, legacy metrics like "time to patch" and "number of attacks stopped by the firewall" are static views. A true security posture can only be achieved through real-time automated assessments of the controls in place.

Possibility 2: An Automated and Proactive Defense
Organizations now face more pressure and more aggressive threats than ever before. Consequently, the defense strategy must be proactive and automated. For example, penetration testing results can be automated for continual (rather than periodic) evaluation.

Possibility 3: Visibility into Business Risk
Forget the mystery. Develop quantitative and measurable data to make wise security investment choices. Ideally, measure and communicate cyber-risk in financial terms, such as the probability and expected cost of security incidents based on current cyber-risk conditions.

None of this will be easy. But as the budgets continue to spike — even as the data breaches keep happening — we need to tie security to accountability. This is a business, and that makes business sense.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Major General Earl Matthews USAF (Ret) is an award-winning retired Major General of the U.S. Air Force with a successful career influencing the development and application of cybersecurity and information management technology. His strengths include his ability to lead ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Octerain
0%
100%
Octerain,
User Rank: Strategist
4/5/2018 | 1:55:19 AM
Re: More abstract nonsense about metrics
Yes rfra, this is what they call "modern reporting". You talk a lot and then say very little. I agree that measure and metrics versus reports and statistics are what we should be doing, but very little is provided in real IP or solutions that others can interpret and implement. The pragmatics will side versus the academics. The one with the eloquent speech will get the budget.
rfra
80%
20%
rfra,
User Rank: Apprentice
4/3/2018 | 3:34:56 PM
More abstract nonsense about metrics
You should re-title this article to "3 non-specific pipe dream ideas for which I present nothing to actually measure".  I'm so sick of all this industry talk about security metrics and nobody ever produces actual useful examples.
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: In Russia, application hangs YOU!
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...
CVE-2018-16515
PUBLISHED: 2018-09-18
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
CVE-2018-16794
PUBLISHED: 2018-09-18
Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory Federation Services) has an SSRF vulnerability via the txtBoxEmail parameter in /adfs/ls.