Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

Searching For Security's Yardstick

Despite rising threats, most security organizations still don't have clear metrics for measuring their performance -- or their enterprises' security posture

There’s an old saying in IT: You can’t manage what you can’t measure. If that’s true, however, security managers must be in a world of hurt.

Across this usually contentious security industry, there is violent agreement about two points: Security departments need better ways to prove that their organizations are safe, and there are no clear-cut numbers that definitively prove that point.

"So you’re in the management meeting, and the sales guy gives specific numbers about orders and gross revenue," says Steve Dauber, vice president of marketing at RedSeal, which makes software designed to monitor security posture. "The networking guy gives numbers about uptime and throughput and response time. Then it comes around to the security guy, and he says, 'Well, we didn’t get hacked today.'"

The basic problem, experts say, is that it’s tough to measure a negative. If security’s primary goal is to prevent outsiders from getting in -- and insider data from getting out -- what numbers are there to measure its success? The only clear metric is a negative: How many times has a compromise been discovered?

"The measure of success in security is that nothing bad happened," says Mike Rothman, an analyst for Securosis, a security consulting firm. "Your best day is going to be that zero bad things occurred. There's never going to be a measurement that shows that good things are happening."

If security is about prevention of leaks and attacks, then what metrics should security departments show their bosses to prove that they are doing their jobs well?

"I think you have to start with things you can control," says Scott Crawford, an analyst at Enterprise Management Associates, a consulting firm that focuses on systems and network management. "If you can't change the controls, then metrics won't do you any good."

Setting a security policy -- and the means to monitor it -- is a good place to start, Crawford says. "If you set a policy and there is a growing number of systems or users that are operating outside the policy, then that's something you can act on, either through education or through greater controls," he observes.

But security professionals should be wary of "dashboards" and artificial measures that don't have meaning for the specific business that their enterprises are in, says Gary Hinson, CEO of security consulting firm iSecT in New Zealand.

"Some companies begin with a long list of 'security things that can be measured' and then try to shoehorn them into some sort of metrics system or dashboard. That, to me, is the wrong way to go about things," Hinson says. "You don't design an aircraft cockpit's information systems with a list of things that can be readily measured on the aircraft. You start by asking what does the pilot need to know -- altitude, azimuth/heading, etc. -- and then prioritizing those things, organizing them into related groupings, and finally filling the dashboard.

"Then you get lots and lots of feedback from pilots about what is missing, superfluous, misleading, wrongly positioned, too big/too small, too annoying/too discreet, etc.," Hinson continues. "In other words, the metrics design process is very interactive, involving the system designers, instrumentation specialists, engineers, and pilots all working together to define, design, and refine the metrics system."

Next: Basic metrics Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.