Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/3/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Security Measures That Can Actually Be Measured

The massive budgets devoted to cybersecurity need to come with better metrics.

Why is so much of technology security such a mystery? In particular, why does it have so few metrics?

I get it. For any given company, if there hasn't been a breach lately, it's assumed that defenses must be working. But shouldn't there be better measurements of effectiveness? Some level of business accountability? A basic ROI calculation?

Consider the size of the security budget: Gartner projects that global spending on information security products and services will exceed $93 billion in 2018 alone, and that number keeps growing. Last year, we saw the seventh continuous year of security budget increases, with a combined annual growth rate of 6% from 2010 to 2013, and 11% from 2014 to 2017.

Let's bring up the bottom line here. Cybersecurity is not an IT issue. It's a business conversation. In fact, it's a business priority.

As a retired Major General of the U.S. Air Force with three decades of experience leading large-scale efforts to defend global networks, I've been at the intersection of big budgets and serious dangers to infrastructure security. I understand the complex and always-expanding challenges that security chiefs face. There are always new technologies featuring strange vulnerabilities, evolving threat vectors, and emerging cybercriminal operations with sophisticated tactics.

However, this doesn't mean that cybersecurity initiatives should get a pass on the standards that every other department must meet. And for a long time, they've enjoyed exactly that freedom.

Sure, most organizations do make efforts to measure cybersecurity effectiveness, but not in terms of how it benefits the business. The SMI benchmark survey, which consulted 400 global business and security executives, found that 58% of respondents scored a "failing grade" when evaluating their organization's efforts to measure their cybersecurity investments and performance against best practices.

Unlocking the Mysteries of Cybersecurity
Somehow, cybersecurity investments are seldom seen as business decisions. Rather, they are viewed as a kind of mysterious black box with contents that are a deeply held secret. Don't ask too many questions, because it might jinx the process.  

So, what's the answer here? How do we measure cybersecurity effectiveness like every other metrics-driven business unit? When I was CIO at US Transportation Command, I established an oversight committee to evaluate the business impact and risks associated with cybersecurity investments. The channel of communication from the security operations center to the CISO to the boardroom had a major impact.  

Most organizations still don't apply business-related, risk-based metrics to their cybersecurity efforts. Those that do often measure the wrong things — for example, things that can't be validated or represent only a snapshot in time. The key question to ask is: "Are we measuring the validity, value, and effectiveness of our cybersecurity controls?"

Traditional models of measuring cybersecurity effectiveness are siloed and fragmented; cybersecurity measures are managed across separate enterprise channels, and important data is underutilized. Cybersecurity for business needs to be holistic and intelligent while delivering actionable insights, so that resources are focused and prioritized based on associated risk.

For example, IT and networking shops have countless management layers in order to perform synthetic transactions, run Internet Control Message Protocol (ICMP), and answer questions about their environment: "Is my network up? Is it fast?" Capacity planning predicts how much disk space, CPU, and RAM is required based on trends. Why don't we have processes like these for cybersecurity? Specifically, what are the technologies and processes we can implement to position cybersecurity as a metrics-driven business unit? I offer three possibilities.

Possibility 1: Elevate Security to the Highest Levels
Let executives from the boardroom on down be directly involved in management, with all the accountability that requires. The primary question is: "Are we acting appropriately regarding cybersecurity for our customers and our shareholders?"

An enterprise cannot determine how much risk to avoid, accept, mitigate, or transfer (via cyber insurance) without actionable metrics backed by empirical data. This happens when a CISO can compare and trend both subjective security data (such as internal assessments) and objective data points (such as automated monitoring). By contrast, legacy metrics like "time to patch" and "number of attacks stopped by the firewall" are static views. A true security posture can only be achieved through real-time automated assessments of the controls in place.

Possibility 2: An Automated and Proactive Defense
Organizations now face more pressure and more aggressive threats than ever before. Consequently, the defense strategy must be proactive and automated. For example, penetration testing results can be automated for continual (rather than periodic) evaluation.

Possibility 3: Visibility into Business Risk
Forget the mystery. Develop quantitative and measurable data to make wise security investment choices. Ideally, measure and communicate cyber-risk in financial terms, such as the probability and expected cost of security incidents based on current cyber-risk conditions.

None of this will be easy. But as the budgets continue to spike — even as the data breaches keep happening — we need to tie security to accountability. This is a business, and that makes business sense.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Major General Earl Matthews, USAF (Ret.), is an award-winning retired Major General of the U.S. Air Force with a successful career influencing the development and application of cybersecurity and information management technology. His strengths include his ability to lead ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BigIng123
50%
50%
BigIng123,
User Rank: Apprentice
9/28/2020 | 11:03:33 AM
We need more security measures
I thought that creating a strong and different password and not installing the unknown soft is enough to remain safe online. But I've found that list lately https://utopia.fans/security/checklist-of-necessary-security-measures-on-the-internet/ and understood that there are much more security measures to follow. It's a pity not many people know and care about it.
Octerain
0%
100%
Octerain,
User Rank: Strategist
4/5/2018 | 1:55:19 AM
Re: More abstract nonsense about metrics
Yes rfra, this is what they call "modern reporting". You talk a lot and then say very little. I agree that measure and metrics versus reports and statistics are what we should be doing, but very little is provided in real IP or solutions that others can interpret and implement. The pragmatics will side versus the academics. The one with the eloquent speech will get the budget.
rfra
80%
20%
rfra,
User Rank: Apprentice
4/3/2018 | 3:34:56 PM
More abstract nonsense about metrics
You should re-title this article to "3 non-specific pipe dream ideas for which I present nothing to actually measure".  I'm so sick of all this industry talk about security metrics and nobody ever produces actual useful examples.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7779
PUBLISHED: 2020-11-26
All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, [email protected]-----------------------------------------------------------!.
CVE-2020-7778
PUBLISHED: 2020-11-26
This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.
CVE-2020-29128
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
CVE-2020-27251
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVE-2020-27253
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.