Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/3/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Security Measures That Can Actually Be Measured

The massive budgets devoted to cybersecurity need to come with better metrics.

Why is so much of technology security such a mystery? In particular, why does it have so few metrics?

I get it. For any given company, if there hasn't been a breach lately, it's assumed that defenses must be working. But shouldn't there be better measurements of effectiveness? Some level of business accountability? A basic ROI calculation?

Consider the size of the security budget: Gartner projects that global spending on information security products and services will exceed $93 billion in 2018 alone, and that number keeps growing. Last year, we saw the seventh continuous year of security budget increases, with a combined annual growth rate of 6% from 2010 to 2013, and 11% from 2014 to 2017.

Let's bring up the bottom line here. Cybersecurity is not an IT issue. It's a business conversation. In fact, it's a business priority.

As a retired Major General of the U.S. Air Force with three decades of experience leading large-scale efforts to defend global networks, I've been at the intersection of big budgets and serious dangers to infrastructure security. I understand the complex and always-expanding challenges that security chiefs face. There are always new technologies featuring strange vulnerabilities, evolving threat vectors, and emerging cybercriminal operations with sophisticated tactics.

However, this doesn't mean that cybersecurity initiatives should get a pass on the standards that every other department must meet. And for a long time, they've enjoyed exactly that freedom.

Sure, most organizations do make efforts to measure cybersecurity effectiveness, but not in terms of how it benefits the business. The SMI benchmark survey, which consulted 400 global business and security executives, found that 58% of respondents scored a "failing grade" when evaluating their organization's efforts to measure their cybersecurity investments and performance against best practices.

Unlocking the Mysteries of Cybersecurity
Somehow, cybersecurity investments are seldom seen as business decisions. Rather, they are viewed as a kind of mysterious black box with contents that are a deeply held secret. Don't ask too many questions, because it might jinx the process.  

So, what's the answer here? How do we measure cybersecurity effectiveness like every other metrics-driven business unit? When I was CIO at US Transportation Command, I established an oversight committee to evaluate the business impact and risks associated with cybersecurity investments. The channel of communication from the security operations center to the CISO to the boardroom had a major impact.  

Most organizations still don't apply business-related, risk-based metrics to their cybersecurity efforts. Those that do often measure the wrong things — for example, things that can't be validated or represent only a snapshot in time. The key question to ask is: "Are we measuring the validity, value, and effectiveness of our cybersecurity controls?"

Traditional models of measuring cybersecurity effectiveness are siloed and fragmented; cybersecurity measures are managed across separate enterprise channels, and important data is underutilized. Cybersecurity for business needs to be holistic and intelligent while delivering actionable insights, so that resources are focused and prioritized based on associated risk.

For example, IT and networking shops have countless management layers in order to perform synthetic transactions, run Internet Control Message Protocol (ICMP), and answer questions about their environment: "Is my network up? Is it fast?" Capacity planning predicts how much disk space, CPU, and RAM is required based on trends. Why don't we have processes like these for cybersecurity? Specifically, what are the technologies and processes we can implement to position cybersecurity as a metrics-driven business unit? I offer three possibilities.

Possibility 1: Elevate Security to the Highest Levels
Let executives from the boardroom on down be directly involved in management, with all the accountability that requires. The primary question is: "Are we acting appropriately regarding cybersecurity for our customers and our shareholders?"

An enterprise cannot determine how much risk to avoid, accept, mitigate, or transfer (via cyber insurance) without actionable metrics backed by empirical data. This happens when a CISO can compare and trend both subjective security data (such as internal assessments) and objective data points (such as automated monitoring). By contrast, legacy metrics like "time to patch" and "number of attacks stopped by the firewall" are static views. A true security posture can only be achieved through real-time automated assessments of the controls in place.

Possibility 2: An Automated and Proactive Defense
Organizations now face more pressure and more aggressive threats than ever before. Consequently, the defense strategy must be proactive and automated. For example, penetration testing results can be automated for continual (rather than periodic) evaluation.

Possibility 3: Visibility into Business Risk
Forget the mystery. Develop quantitative and measurable data to make wise security investment choices. Ideally, measure and communicate cyber-risk in financial terms, such as the probability and expected cost of security incidents based on current cyber-risk conditions.

None of this will be easy. But as the budgets continue to spike — even as the data breaches keep happening — we need to tie security to accountability. This is a business, and that makes business sense.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Major General Earl Matthews, USAF (Ret.), is an award-winning retired Major General of the U.S. Air Force with a successful career influencing the development and application of cybersecurity and information management technology. His strengths include his ability to lead ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Octerain
0%
100%
Octerain,
User Rank: Strategist
4/5/2018 | 1:55:19 AM
Re: More abstract nonsense about metrics
Yes rfra, this is what they call "modern reporting". You talk a lot and then say very little. I agree that measure and metrics versus reports and statistics are what we should be doing, but very little is provided in real IP or solutions that others can interpret and implement. The pragmatics will side versus the academics. The one with the eloquent speech will get the budget.
rfra
80%
20%
rfra,
User Rank: Apprentice
4/3/2018 | 3:34:56 PM
More abstract nonsense about metrics
You should re-title this article to "3 non-specific pipe dream ideas for which I present nothing to actually measure".  I'm so sick of all this industry talk about security metrics and nobody ever produces actual useful examples.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19797
PUBLISHED: 2019-12-15
read_colordef in read.c in Xfig fig2dev 3.2.7b has an out-of-bounds write.
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.