Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

6/9/2015
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Security Metrics: It’s All Relative

What a haircut taught me about communicating the value of security to executives and non-security professionals.

The other day, I learned a great lesson about security metrics while getting a haircut. Initially, this may sound like a bit of an odd statement, but I promise it will make sense in the end. The woman cutting my hair asked me: “Should I cut off one-half inch?” Putting aside my preference for the metric system and dislike of the imperial system, I found this question to be quite fascinating.

To the woman cutting my hair, the question was a scientific one. Depending on how I answered, she would choose the appropriate scissors and clippers and proceed accordingly. From my perspective, however, the question was meaningless, or at the very least, difficult to parse. I didn’t know how to answer because I have no idea what length I like my hair -- at least not in absolute terms like inches or centimeters.

What does this have to do with security metrics? Let’s begin to answer that question by examining the definition of the word “metrics.” A metric is defined as “a method of measuring something, or the results obtained from this.” In order for me to understand and subsequently answer the question, I had to translate into a method of measurement that I could understand. After a small amount of research, I learned that hair generally grows one-quarter inch per month. In the context of this example, the question translated into relative terms I could understand would be: “Should I cut off two months of growth?”

As security professionals, we tend to get used to a certain way of thinking, speaking, measuring, and communicating. What we sometimes forget is that to many people (most notably leaders such as our executives and boards), the value we bring is not always easy to understand. It’s not that we aren’t working hard, doing more with less, adding value to the organizations we serve, and sometimes working small miracles. Rather, it’s that we struggle to translate those efforts into a meaningful context. What’s missing is a way for us to communicate our value in terms that non-security professionals can understand and evaluate.

To illustrate this point, let’s work through some examples. Many security organizations regularly report a familiar set of metrics to their leadership. These metrics tend to be absolute in nature. What do I mean by that? Absolute metrics are metrics that involve quantitative measures that are not relative to or dependent on anything else. For example, absolute metrics that some of us might be familiar with include:

  • Number of infected endpoints during a specific time window
  • Number of brute force attempts during a specific time window
  • Average length of time a ticket remains in the “open” or “unresolved” state

Although these metrics may seem familiar, they represent a critical disconnect with the prioritized list of risks and threats security-aware leaders are most concerned with. Preventing damage to the organization from those very risks and threats is likely a top priority for these individuals on a daily basis. It is against those priorities that the security-aware leader will likely evaluate the successes of his or her security organization, along with determining areas for improvement.

When we look at the subject of metrics from this perspective, it becomes a bit easier to see why traditional, absolute metrics do not fit the task at hand. What’s missing from the discussion is a mapping between the tactical and operational work going on within the security organization and the strategic view taken by leaders. Enter relative metrics.

Relative metrics are metrics that involve quantitative measures that are “translated” or “mapped” to the priorities of leadership. Relative metrics allow the security organization to effectively measure and communicate its successes and areas for improvement in terms that leadership can internalize. Taking the three illustrative absolute metrics referenced above and converting them into relative metrics might result in the following examples:

  • Amount of sensitive data exfiltrated via infected endpoints during a specific time window
  • Risk and exposure as a result of critical assets successfully compromised via brute force attacks during a specific time window
  • Median-time-to-remediation (MTTR)

As we can see, these relative metrics more precisely speak the language of our leaders. They do this by taking the absolute metrics and mapping them to the risks and threats that most concern our leadership. Of course, each organization will have its own unique concerns. That prioritized list should guide the development of relative metrics inside each organization.

It’s hard to imagine how a conversation between two people speaking two mutually unintelligible languages could result in the productive exchange of ideas. Yet, in the security world, we often live this very experience daily. Tactically and operationally focused security teams speak metrics that are unintelligible to their strategically focused leaders. In my experience, in order for effective communication to occur, everyone needs to be speaking the same language. Metrics and measurement are no exception.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Plumber
50%
50%
Plumber,
User Rank: Apprentice
3/21/2017 | 5:13:15 PM
Re: Plumber Hair Cuts
I need one myself!!!
baller188
100%
0%
baller188,
User Rank: Apprentice
3/14/2017 | 6:03:51 AM
Trading Hair Cuts
Great story telling, i was smiling all the way through. In fact i'm thinking of going to get a hair cut.
Enrico Fontan
50%
50%
Enrico Fontan,
User Rank: Strategist
6/16/2015 | 11:05:20 AM
Change context
I agree with your thoughts. Usually the management needs only smart indicators of security exposures (ex: green/red traffic light) not technical discussions about trends, security exposures and so on.

A Security Manager needs to be able to translate security concepts in different context.

This will bring some responsibilities. What if translation goes wrong?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/9/2015 | 2:01:39 PM
Drawing Parallels
I agree with this article to an extent. There are two distinct languages between security folk and non-security folk however there is commonality between them. It's more that people are bilingual. They have their craft and their language. Where we fail is drawing parallels to non-security people from our commonality (language). Same as a teacher, if you cannot get a person to understand how if affects them or reach them on an interest level it is difficult for a person to absorb a lesson. You could talk about data exfiltration and its intricacies all day but until you explain that peoples social security numbers could be used through this process for nefarious means its unlikely you will get through. We have the ability, we just need to harness it in a more apt manner.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.