Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/27/2020
10:00 AM
Curtis Simpson
Curtis Simpson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

How to Get the Most Out of Your Security Metrics

There's an art to reporting security metrics so that they speak the language of leadership and connect the data from tools to business objectives.

Much is at stake when reporting security metrics. This data is critical for management to evaluate security programs and justify further investment in security tools. The value of metrics comes from their ability to tell larger stories about a business that resonate with key stakeholders. You lose that opportunity if security teams use the wrong metrics — those that are overly technical or detailed — or miscommunicate the right metrics. Here are some of the more common reporting mistakes and best practices for avoiding them. 

Generic or Overly Technical Metrics
This problem involves generic reports that are focused on the number of attacks that took place in a given time period and the percentage that were prevented versus those that had an impact. Those numbers don't reflect the maturity of a security program.

Metrics that are shallow or too high level don't effectively tie back to specific business strategies or critical objectives. They have limited value and don't track the overall effectiveness of security operations. Relying on simple metrics to tell the larger risk story can have an unintended budgetary impact. For example, if consistently reporting that 99% of known cyberattacks are being prevented, why would leadership support a budget to add a new solution to the security portfolio?

On the flip side are metrics that are too technical or detailed for the board to understand. For instance, leaders don't need a breakdown of each vulnerability by operating system or platform. Why? It's not clear how that information relates back to critical business functions or strategic objectives — in other words, the language of the business. Faced with data they don't understand, board members not only will lose interest in the conversation, they may even question the security leadership's strategy.

Connect Metrics to Business Outcomes 
A more effective way of reporting to leadership is to speak directly to the risk level associated with critical business functions, the core contributors to this risk, and the actions being taken. For example, security leaders should be ready to answer these questions: 

  • What kinds of attacks are we prepared to defend against? 
  • Where do we have deficiencies as an organization, and what risks to business operations are elevated as a result? 
  • What is being done to reduce such risks (from a business and technology perspective)? 
  • Has a risk grown in significance? 
  • What is the proposed strategy to reduce the risk to an acceptable level? 

The storytelling needs to focus on business risk rather than technical facts. 

Let's dive into an example. Company X has identified that nontraditional competitors are taking market share by solving long-standing complaints or requests from customers. One of the requests is the ability to place online orders 24/7 and to have such orders fulfilled within 24 hours.

From a security practitioner's perspective, this can be interpreted as "no critical business operations or capabilities supporting online ordering or fulfillment can be affected by a cyberattack and if unavoidably affected, must be rapidly recovered." When viewed from this perspective, the metrics of value become clear. What are the top risks to enabling and protecting related critical business capabilities and the underlying supporting technology? What is the likelihood of risk actually happenning? What is the potential monetary impact associated with the likely event, and what are the key risk contributors? What is already being done, and what is the proposed cross-function strategy to mitigate residual risk?

Metrics Overload
Often, security teams will deliver an overwhelming amount of metrics and data to the technical teams responsible for fixing these vulnerabilities through software updates and/or configuration changes. For example, these metrics often detail the number of critical, high-, medium-, and low-risk vulnerabilities across the entire environment with little to no logical prioritization.

But not all vulnerabilities are equally important or have equal business effects. Generic metrics with highly extensive reports listing the details and remediation actions of all identified vulnerabilities often fail to result in a meaningful outcome. Executives reading them can get overwhelmed with the amount of information or they can misunderstand it. Too many metrics can deter people from taking action or cause miscommunication, delaying remediation and increasing the likelihood of exploitation and business impact.

Focus on the Biggest Risks
Instead, help technical teams understand the most important vulnerabilities that require their attention and what progress needs to be made. Again, this needs to be tied back to key business objectives and prioritized based on those functions. 

Let's refer back to the Company X example and its objective to deliver 24/7 online ordering and order fulfillment capabilities to its customers. Vulnerabilities with a high potential for exploitation and the potential to significantly affect these critical business operations should be prioritized for remediation. It's also important to prioritize cases where executing a specific remediation action (for example, updating a software package on all PCs to the latest version) will have a significant risk reduction impact against common attack vectors being exploited by bad actors.  

People presented with a massive list of objectives often are overwhelmed to the point that no action is taken, or too few actions are taken to make a difference. Instead, presenting people with a list of specific actions to take first, next, and last, and specifying how these actions will directly affect business operations, lets people take action and feel a level of accomplishment. This can keep the team engaged. 

There is an art to reporting security metrics so that they speak the language of leadership and effectively connect the data from security tools and processes to key business objectives. It's crucial to articulate the metrics well so business leaders understand the significance and recognize the true effect the security program is having. Without this understanding, security teams, budgets, and processes could be overlooked, which increases security risks to the company and could negatively affect brand reputation and customer trust.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "7 Steps to IoT Security in 2020."

As the CISO at Armis, Curtis Simpson is responsible for ensuring that the Armis product continues to maintain its high standard and vigilant focus on platform and customer security and privacy. Prior to Armis, he was the CISO at Sysco, a Fortune 54 corporation. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
3/26/2020 | 12:29:21 PM
Great post and valid points
One thing that was not covered (of course everything cannot be covered) is the human element. There are certain things that pertain to individuals being tired, disgruntled, under-paid or any other liteney of reasons. You have to ask yourself, with all of the things that have been put in place why are we still being breached:
  • S3 Bucket found online that hold pertinent user data (Census Bureau, Marriott, Equifax, and others)
  • User was able to access DB online with no secured SA password
  • OPM allowed millions of records to be accessed (I think this was due to poor management, she did nothing to review her existing operations)
  • DoD - Military records and Spy-tools (Shadow Brokers) stolen from NSA, Navy, Airforce and Army
  • Capital One - someone who use to work there was able to find a vulnerability and exploit it to the point of sharing financial records with overseas extremest groups

I mean the list goes on and nothing has been done to punish or enforce rules of operations (has anyone done an investigation and provided steps they have taken to fortify their environment, was anyone fired and was this made public).
  • https://www.nytimes.com/2019/05/06/us/politics/china-hacking-cyber.html
  • https://www.gflesch.com/blog/biggest-cyberattacks-2019
  • https://www.csis.org/programs/technology-policy-program/significant-cyber-incidents

At the end of the day, until teeth is put into certain cybersecurity rules of engagement, we will continue to work with incompetence and lack of understanding even at the highest levels. Don't get me wrong, having statistics and metrics to capture the potential threats, but if it falls on deaf ears especially at the executive levels without having a proper planning and implementation strategy, then this is just a useless exercise in futility.

T

 
SEODan
100%
0%
SEODan,
User Rank: Apprentice
1/28/2020 | 5:53:42 AM
So true
"But not all vulnerabilities are equally important or have equal business effects."

This is so true. Business owners often take some problems too seriously, and some others too lightly.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
CVE-2020-11696
PUBLISHED: 2020-06-05
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
CVE-2020-13646
PUBLISHED: 2020-06-05
In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.