WASHINGTON, D.C. -- CSI Annual Conference 2009 -- It's the question only a top-level business manager can ask -- the question all security managers have come to dread.

"How secure are we?"

Nearly every security professional must answer questions like this from time to time -- questions that simultaneously ask about the risk of critical data loss and the real value of security processes, technology, and personnel. At the Computer Security Institute's annual conference here this week, several speakers offered advice on measuring security risks and communicating those risks to top-level managers and executives.

"The operative problem is that you can't really accurately measure security status," said Christopher Michael, director of information assurance at defense contractor BAE Systems. "There's no truly accurate way to do it. But you have to do something to help show risks and benefits because the business demands it."

Bill Mann, senior vice president of security product strategy at CA, offered similar advice in his CSI presentation. "Security people tend to be exact -- they want everything to be 100 percent," he said. "But when you're reporting to upper management, you need to put it out there -- without worrying about everything being perfect."

The key when conveying risks and benefits to top executives, Mann said, is to speak in terms they will understand. "You can't talk about packets," he said. "These guys think in spreadsheets. They think about things like 'impact' and 'likelihood.' Give them some idea of the risk, then give them some options for mitigating them."

Before security professionals approach their management, they must understand the risk themselves, said Rafal Los, senior security consultant for HP's Application Security Center, in his CSI presentation.

"As technology people, we often chase the things that seem to be the biggest risk -- the things that are the most innovative -- without really doing an analysis of the actual risk," Los said. "In most cases, it's not something new, but your legacy systems that pose the highest overall risk right now. It's the things that came before you, but that nobody's looked at for a long time, that you should worry about. Too often, we hyperfocus on new, cool hacks that will never happen, rather than the legacy systems."

In other cases, enterprises may fail to update their risk stance to reflect changes in time or world events. Executives at security vendor NetWitness frequently stated that enterprises and government agencies are preparing for the "cyber threat of 1995" without taking into account the formidable capabilities of today's organized criminals and foreign governments.

"We estimate that there are currently 100 countries that have cyberwar capabilities today, and many of them are more advanced than the organized criminal groups we talk so much about in the security space," said Eddie Schwartz, CSO of NetWitness, in an interview at CSI. "But most companies don't account for that in their security strategies. A lot of companies don't understand the risks associated with contractors or social networking. Most companies still focus on compliance and prevention, but they're fighting a losing battle. We need to rethink the risk equation."

There are many methods for calculating risk, the speakers noted. BAE's Michael recommended the NIST risk management framework, which outlines methods for analyzing the potential impact of a breach, selecting and implementing controls, assessing and monitoring their effectiveness, and reporting residual risk.

The key is creating metrics that can be quantitatively tracked over time, Michael said. He recommended creating a "security risk register," in which the owners of each security-related process identify metrics for that process, including the likelihood of compromise and the consequences of such a compromise.

"Once you have that in place, then the managers can decide which ones are important to them," Michael said. Management may even choose to rank the processes with a quantitative score, which helps the security team focus on those that pose the highest risks. Security teams can also perform a gap analysis for each process, estimating current security status against the highest possible security status for that process, he said.

Compliance is one of the easier security metrics to measure because there are standards to be measured against, Michael said. Cost reduction -- such as the implementation of a self-service password reset process -- and cost avoidance, such as a reduction in breaches, might also be measurable in a way that appeals to management.

But Los cautioned that all mathematical risk models must be tailored to fit the organization's priorities and business models. "There are many mathematical risk management risk models, but 90 percent of them don't apply to the people who are reading them," Los said. "Risk is a company-specific issue. You have to set your own standards for it."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.