SlideShare a Scribd company logo

Metrics & Reporting - A Failure in Communication

Chris Ross, profile picture
Chris Ross

A 2014 Wisegate report reveals that many IT security teams lack effective metrics to track their security risks, leading to a significant disconnect between security efforts and business communication. The survey noted that over 50% of participants do not have metrics to measure their top security risks, resulting in poor communication with executives about increasing risks like malware and data breaches. The document emphasizes the need for IT security to adopt a more risk-centric approach to provide actionable metrics that resonate with business leaders and improve overall security effectiveness.

Technology
Related topics:
Risk-ManagementThreat Intelligence Risk Assessment Information SecurityIdentity Management
1 of 12
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
22
Metrics & Reporting 2 CONTENTS Metrics and Reporting ............................................................................................................. 3   The Problem Measured........................................................................................................... 4   Is This Important? ................................................................................................................... 5   ‘Communication is What the Receiver Does’ .......................................................................... 6   What IT/Security is Doing........................................................................................................ 7   The Danger in Poor Communication..................................................................................... 10   What is IT/Security Doing About this Lack of Communication? ............................................ 10   What Should IT/Security Be Doing?...................................................................................... 11   © 2014 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.
a Failure in Communication 3 In June of 2014, Wisegate conducted a member-driven research initiative designed to assess the current state of security risks and controls in business today. Assessing IT Security Risks addresses many of the top takeaways from this survey. This document is the first in a series of reports designed to look more closely at four specific issues highlighted by that survey. » Metrics and reporting » Malware and data breaches » Data-centric security » Automation and orchestration Metrics and Reporting This document might have just as easily been titled, ‘The Lack of Metrics’. It is highlighted in a simple conclusion reached in Assessing IT Security Risks: “Overall, [security] teams were optimistic but not overwhelmingly confident.”
Metrics & Reporting 4 On the surface, this statement appears to hide a contradiction: how can someone be genuinely optimistic without being simultaneously confident? That apparent contradiction hides a potentially widespread problem in information security: CISOs are always improving their company security; there is little ability, however, to measure that success (or indeed, lack of it). Without having the metrics of success or failure, security teams can be optimistic in what they are doing—but cannot ultimately be confident in its effect. This problem is then compounded. Metrics form the basis of business-level reporting, and without those metrics IT struggles to effectively communicate security issues to Business. The Problem Measured Participants in this survey were asked, ‘do you have metrics in place to track your top three risks?’ (see Figure 1). Overall, 50% do not have metrics. …the real problem with security risk management in the enterprise isn’t of confidence—it’s of measurement; survey respondents don’t really have a good way of indicating the effectiveness (or lack thereof) of existing programs. —Assessing and Managing IT Security Risks Figure 1: Survey Question: Do you have a metric to measure the risk in your top three areas of concerns? Source: Wisegate June 2014
a Failure in Communication 5 The problem is that there is a general acceptance that all three top risks are growing—more than 80% of participants believe that major risks are increasing in their industry (see Figure 2). [Note: These three ‘top risks’ are non-specific—they are whatever the participant considered to be his or her personal top three risks. Overall, the top three risks are malware, data breaches and outsider threat.] Figure 2: Survey Question: Which risks are growing for your specific company and industry? Source: Wisegate June 2014 What this means, in effect, is that IT cannot accurately communicate an increasing security risk to Business; and Business cannot accurately understand that security risk and its possible impact on the business. Is This Important? This lack of communication is very important, for three particular reasons: » Real security cannot be achieved without full Business buy-in. » Business is likely to become suddenly very keen on understanding security following the recent prosecution of FedEx in what can be seen as an extension of the ‘failure to prevent’ theory. “This bodes ill not only for corporations that fail to prevent criminal activity, but for corporate compliance officers whose programs,
Metrics & Reporting 6 when scrutinized under the glare of 20-20 hindsight, may be found deficient.”1 It is possible that within a relatively short period, individual board members could be held legally liable for security failures. » Boards are being urged by the National Association of Corporate Directors to be more proactive in information security. The reality is that possibly for the first time, corporate boardrooms are taking cyber security seriously. The continuous flow of news of major security breaches in major companies is having an effect. Boards are asking: » How does our security stack up? » How do we compare with other companies in our sector? Without adequate security metrics to answer those questions in the language that Business understands, IT/Security will miss a major opportunity. ‘Communication is What the Receiver Does’ It is a tenet of communication that you have to listen. There are signs that Business is ready to listen. In July 2014 the National Association of Corporate Directors published a new handbook for its members: Cyber-Risk Oversight2 . Its advice to directors is organized around five key principles: 1. Directors need to understand and approach cyber security as an enterprise-wide risk management issue, not just an IT issue. 2. Directors should understand the legal implications of cyber-risks as they relate to their company's specific circumstances. 3. Boards should have adequate access to cyber security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. 4. Directors should set the expectation that management will establish an enterprise- wide, cyber-risk management framework with adequate staffing and budget. 5. Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach. 1 The Rise of 'Failure to Prevent' Crimes and CCO Liability; New York Law Journal (27 October 2014): http://newyorklawjournal.com/id=1202674374593 2 Cyber-Risk Oversight Handbook (free to NACD members): http://www.nacdonline.org/cyber
a Failure in Communication 7 That last point highlights the need for discussion between IT/Security and the board. When the handbook was first published, Internet Security Alliance President Larry Clinton commented, "Most business leaders do not spend a lot of time talking about ISO standards and NIST framework. They talk about things like profitability, growth, innovation product development, price-to-earnings ratios. This publication, perhaps for the first time, attempts to put cybersecurity squarely within that business context." But while Business might be ready to listen, there remains a difficulty for IT/Security to speak in a language that it understands. What IT/Security is Doing IT/Security is taking a risk-based approach to defending systems; but it currently lacks the means to report the risk status to boards and internal business partners. “CISOs are measuring tactical things,” explains the Assessing IT Security Risks lead author, Bill Burns. “What metrics exist are events-driven: how much classified data was blocked from leaving the system; how many malware hits were stopped at the firewall or by the AV software. But there exists a huge disconnect between such activity-based metrics and rolling them up into ‘what is the impact of our security programs on the business’.” The problem, he suggests, is that there remains a tool-centric rather than risk-centric view of security—and the tools that are available rarely provide metrics that can be combined into an overall metrics-based company risk report suitable for delivery to the board. This leads to a failure of communication between IT/Security and Business—which is, says Burns, a major challenge for IT/Security. To a large degree this basic problem is a natural result of the security product market, which comprises a wide range of distinct point products. The natural desire to use a ‘best of breeds’ approach (that is, to use the best available solution for each separate risk) doesn’t lend itself to seamless security metrics. The extent of the problem can be seen in Figures 3 to 6, taken from the survey. The diversity of different products expected to be used in the next 3-5 years makes seamless and cohesive reporting across the whole security discipline difficult to achieve—and almost impossible in a format suitable to present to business management. This is unlikely to change within the next five years.
Metrics & Reporting 8 Figure 3: Survey Question: Which endpoint-targeted security controls will be a top- priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014 Figure 4: Survey Question: Which mobility / IoT security control will be most important to your company in the next 3-5 years? Source: Wisegate, June 2014
a Failure in Communication 9 Figure 5: Survey Question: Which of these Messaging, File/Doc Sharing controls will be a top priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014 Figure 6: Survey Question: Stack-rank these Infrastructure controls by which will be a top priority to you in the next 3-5 years. Source: Wisegate, June 2014
Metrics & Reporting 10 This volume of different products makes communicating strengths and weaknesses in the corporate security profile in relation to business impact a difficult proposition. “Although this sounds harsh,” comments Burns, “it results in a failure of the security teams to communicate in business terms, and for business people to understand security. There’s a business gap—and it’s one of the biggest challenges I see for Security.” The Danger in Poor Communication The two primary dangers of poor communications are: » A continuing disconnect between Business and Security, leading to underfunding and weak policy implementation » A Business concentration on the one set of industry-wide metrics already available: compliance checklists Many security teams already believe they suffer from the first, and many more will increasingly come up against the latter. “I think we are finally at the point, with so many large scale breaches,” explains Burns, “that Business is taking Security seriously. Boards are ready to listen if we can learn their language to speak to them. What they want to know is, ‘are we doing everything we should be doing; and are we doing what our peers are doing?’” It is that latter point that leads Business to concentrate on compliance-based security. If the only metrics available are the compliance regulations, then conforming strictly to those requirements serves two purposes: firstly it provides a defense against any possible ‘failure to prevent’ legal challenges; and secondly it provides a likely ‘peer comparison’ point. Most security professionals do not believe that conforming to a compliance checklist provides the best possible security. However, unless Security can develop its own metrics and reporting, Business will inevitably increasingly rely on compliance instead—possibly to detriment of real security. What is IT/Security Doing About this Lack of Communication? IT/Security readily acknowledges that communication is a problem. “People accept that this is a problem, and talk about it,” comments Burns. “But not one of the survey participants could say, ‘I cracked the nut—this is what you have to do to communicate successfully.’”
a Failure in Communication 11 It is a subject that frequently occurs in Wisegate roundtable discussions. For example, in a recent Wisegate Live Research call, one CISO with a large financial firm noted: “The higher you go, the more you need to be able to talk about business drivers in business language that business can understand. The thing that works best seems to be stories and analogies—they seem to be the best way to share information with the more senior individuals in your business.” —“What are the soft skills required for a career in IT and security?” Roundtable Talking, however, is not reporting, and stories are not metrics. The reality is that IT/Security mostly does little more than talk about the problem of metrics and reporting. What Should IT/Security Be Doing? The survey shows that IT/Security suffers from a lack of adequate metrics. This translates into poor communication between IT/Security and Business. In the short term this can be improved by IT/Security aggregating security point solutions to provide a seamless holistic risk rating; and then creating the metrics to demonstrate the impact of security on business. In the longer term, the problem provides an opportunity for security users and security vendors. As the move towards the adoption of security as a service (SaaS) solutions gathers pace, security teams can start to insist on the provision of usable metrics as part of the partner agreement.
Metrics & Reporting 12 PHONE 512.763.0555 EMAIL info@wisegateit.com www.wisegateit.com Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.

More Related Content

PDF
Assessing and Managing IT Security Risks
Chris Ross
 
PDF
How to measure your cybersecurity performance
Abhishek Sood
 
PDF
2013 Incident Response Survey
FireEye, Inc.
 
PDF
Hewlett-Packard Enterprise- State of Security Operations 2015
Kim Jensen
 
PDF
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
The Economist Media Businesses
 
PDF
Priming your digital immune system: Cybersecurity in the cognitive era
Luke Farrell
 
PDF
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
PDF
Cover and CyberSecurity Essay
Michael Solomon
 
Assessing and Managing IT Security Risks
Chris Ross
 
How to measure your cybersecurity performance
Abhishek Sood
 
2013 Incident Response Survey
FireEye, Inc.
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Kim Jensen
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
The Economist Media Businesses
 
Priming your digital immune system: Cybersecurity in the cognitive era
Luke Farrell
 
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
Cover and CyberSecurity Essay
Michael Solomon
 

What's hot (18)

PDF
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
PDF
2018 State of Cyber Resilience for Insurance
Accenture Insurance
 
PDF
Kaspersky: Global IT Security Risks
Constantin Cocioaba
 
PDF
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
PDF
2013-ISC2-Global-Information-Security-Workforce-Study
Tam Nguyen
 
PDF
Prof m01-2013 global information security workforce study - final
SelectedPresentations
 
PDF
Research Paper
Brian Kasha
 
PDF
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
PDF
Accenture Banking Security Index
accenture
 
PDF
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Citrix Online
 
PDF
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
PDF
Finding a strategic voice
IBM India Smarter Computing
 
PDF
State of Security McAfee Study
Hiten Sethi
 
PDF
Information Security Governance at Board and Executive Level
Koen Maris
 
PDF
Healthcare Cybersecurity Whitepaper FINAL
Steve Knapp
 
PDF
From checkboxes to frameworks
Andréanne Clarke
 
PDF
2015 IA survey - Protiviti
Simone Luca Giargia
 
PDF
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
2018 State of Cyber Resilience for Insurance
Accenture Insurance
 
Kaspersky: Global IT Security Risks
Constantin Cocioaba
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
2013-ISC2-Global-Information-Security-Workforce-Study
Tam Nguyen
 
Prof m01-2013 global information security workforce study - final
SelectedPresentations
 
Research Paper
Brian Kasha
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
Accenture Banking Security Index
accenture
 
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Citrix Online
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
Finding a strategic voice
IBM India Smarter Computing
 
State of Security McAfee Study
Hiten Sethi
 
Information Security Governance at Board and Executive Level
Koen Maris
 
Healthcare Cybersecurity Whitepaper FINAL
Steve Knapp
 
From checkboxes to frameworks
Andréanne Clarke
 
2015 IA survey - Protiviti
Simone Luca Giargia
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 
Ad

Viewers also liked (9)

PPTX
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 
PPTX
Sans 20 CSC: Connecting Security to the Business Mission
Tripwire
 
PPTX
Information Security Metrics - Practical Security Metrics
Jack Nichelson
 
PPTX
Web Application Security Vulnerability Management Framework
jpubal
 
PDF
Improving Cyber Security Literacy in Boards & Executives
Tripwire
 
PDF
Scorecards, Learning Metrics and Measurement Strategies
Human Capital Media
 
PDF
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
PPTX
Build an Information Security Strategy
Andrew Byers
 
PDF
Building an effective Information Security Roadmap
Elliott Franklin
 
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 
Sans 20 CSC: Connecting Security to the Business Mission
Tripwire
 
Information Security Metrics - Practical Security Metrics
Jack Nichelson
 
Web Application Security Vulnerability Management Framework
jpubal
 
Improving Cyber Security Literacy in Boards & Executives
Tripwire
 
Scorecards, Learning Metrics and Measurement Strategies
Human Capital Media
 
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
Build an Information Security Strategy
Andrew Byers
 
Building an effective Information Security Roadmap
Elliott Franklin
 
Ad

Similar to Metrics & Reporting - A Failure in Communication (20)

PPTX
Current enterprise information security measures continue to fail us. Why is ...
Livingstone Advisory
 
PDF
ey-global-information-security-survey-2020-report.pdf
JoseLuisSilva50
 
PDF
Module 2 - Cybersecurity On the Defense.pdf
Humphrey Humphrey
 
PDF
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
PDF
Cybersecurity report-vol-8
Mohamed Abdelhakim
 
PDF
Cybersecurity the new metrics
Abhishek Sood
 
PDF
Cyber Risks - Maligec and Eskins
Christine Maligec, CRM-E, CRIS
 
PDF
It risk assessment
Happiest Minds Technologies
 
PDF
Websense
CMR WORLD TECH
 
PDF
Audit and Compliance BDR Knowledge Training
Tory Quinton
 
PDF
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
PPTX
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
jamiejohngianna
 
DOCX
The Significance of IT Security Management & Risk Assessment
Bradley Susser
 
PDF
Four mistakes to avoid when hiring your next security chief (print version ...
Niren Thanky
 
PDF
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
DFLABS SRL
 
PDF
WhiteHat’s Website Security Statistics Report 2015
Jeremiah Grossman
 
PPTX
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
International Federation of Accountants
 
PDF
The case for a Cybersecurity Expert on the Board of an SEC firm
David Sweigert
 
PDF
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
PPTX
What are the key cybersecurity KPIs that businesses.pptx
Simublade
 
Current enterprise information security measures continue to fail us. Why is ...
Livingstone Advisory
 
ey-global-information-security-survey-2020-report.pdf
JoseLuisSilva50
 
Module 2 - Cybersecurity On the Defense.pdf
Humphrey Humphrey
 
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
Cybersecurity report-vol-8
Mohamed Abdelhakim
 
Cybersecurity the new metrics
Abhishek Sood
 
Cyber Risks - Maligec and Eskins
Christine Maligec, CRM-E, CRIS
 
It risk assessment
Happiest Minds Technologies
 
Websense
CMR WORLD TECH
 
Audit and Compliance BDR Knowledge Training
Tory Quinton
 
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
jamiejohngianna
 
The Significance of IT Security Management & Risk Assessment
Bradley Susser
 
Four mistakes to avoid when hiring your next security chief (print version ...
Niren Thanky
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
DFLABS SRL
 
WhiteHat’s Website Security Statistics Report 2015
Jeremiah Grossman
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
International Federation of Accountants
 
The case for a Cybersecurity Expert on the Board of an SEC firm
David Sweigert
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
What are the key cybersecurity KPIs that businesses.pptx
Simublade
 

More from Chris Ross (7)

PDF
Malware & Data Breaches: Combatting the Biggest Threat
Chris Ross
 
PDF
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Chris Ross
 
PDF
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
Chris Ross
 
PDF
Hello, I Must Be Going - Hard Facts on Soft Skills
Chris Ross
 
PDF
Maximizing Your IT Career Needed Skills and Next Steps
Chris Ross
 
PDF
What does Information Security have in common with Eastern Air Lines Flight 401
Chris Ross
 
PDF
5 Tips Every Job-Hunting IT Pro Should Know
Chris Ross
 
Malware & Data Breaches: Combatting the Biggest Threat
Chris Ross
 
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Chris Ross
 
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
Chris Ross
 
Hello, I Must Be Going - Hard Facts on Soft Skills
Chris Ross
 
Maximizing Your IT Career Needed Skills and Next Steps
Chris Ross
 
What does Information Security have in common with Eastern Air Lines Flight 401
Chris Ross
 
5 Tips Every Job-Hunting IT Pro Should Know
Chris Ross
 

Recently uploaded (20)

PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Approach and Philosophy of On baking technology
30anthuong17
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
KodekX | Application Modernization Development
KodekX
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Cloud computing and distributed systems.
kkkkkhan
 
A Presentation on Artificial Intelligence
memembruh336
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 

Metrics & Reporting - A Failure in Communication

  • 1. 22
  • 2. Metrics & Reporting 2 CONTENTS Metrics and Reporting ............................................................................................................. 3   The Problem Measured........................................................................................................... 4   Is This Important? ................................................................................................................... 5   ‘Communication is What the Receiver Does’ .......................................................................... 6   What IT/Security is Doing........................................................................................................ 7   The Danger in Poor Communication..................................................................................... 10   What is IT/Security Doing About this Lack of Communication? ............................................ 10   What Should IT/Security Be Doing?...................................................................................... 11   © 2014 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.
  • 3. a Failure in Communication 3 In June of 2014, Wisegate conducted a member-driven research initiative designed to assess the current state of security risks and controls in business today. Assessing IT Security Risks addresses many of the top takeaways from this survey. This document is the first in a series of reports designed to look more closely at four specific issues highlighted by that survey. » Metrics and reporting » Malware and data breaches » Data-centric security » Automation and orchestration Metrics and Reporting This document might have just as easily been titled, ‘The Lack of Metrics’. It is highlighted in a simple conclusion reached in Assessing IT Security Risks: “Overall, [security] teams were optimistic but not overwhelmingly confident.”
  • 4. Metrics & Reporting 4 On the surface, this statement appears to hide a contradiction: how can someone be genuinely optimistic without being simultaneously confident? That apparent contradiction hides a potentially widespread problem in information security: CISOs are always improving their company security; there is little ability, however, to measure that success (or indeed, lack of it). Without having the metrics of success or failure, security teams can be optimistic in what they are doing—but cannot ultimately be confident in its effect. This problem is then compounded. Metrics form the basis of business-level reporting, and without those metrics IT struggles to effectively communicate security issues to Business. The Problem Measured Participants in this survey were asked, ‘do you have metrics in place to track your top three risks?’ (see Figure 1). Overall, 50% do not have metrics. …the real problem with security risk management in the enterprise isn’t of confidence—it’s of measurement; survey respondents don’t really have a good way of indicating the effectiveness (or lack thereof) of existing programs. —Assessing and Managing IT Security Risks Figure 1: Survey Question: Do you have a metric to measure the risk in your top three areas of concerns? Source: Wisegate June 2014
  • 5. a Failure in Communication 5 The problem is that there is a general acceptance that all three top risks are growing—more than 80% of participants believe that major risks are increasing in their industry (see Figure 2). [Note: These three ‘top risks’ are non-specific—they are whatever the participant considered to be his or her personal top three risks. Overall, the top three risks are malware, data breaches and outsider threat.] Figure 2: Survey Question: Which risks are growing for your specific company and industry? Source: Wisegate June 2014 What this means, in effect, is that IT cannot accurately communicate an increasing security risk to Business; and Business cannot accurately understand that security risk and its possible impact on the business. Is This Important? This lack of communication is very important, for three particular reasons: » Real security cannot be achieved without full Business buy-in. » Business is likely to become suddenly very keen on understanding security following the recent prosecution of FedEx in what can be seen as an extension of the ‘failure to prevent’ theory. “This bodes ill not only for corporations that fail to prevent criminal activity, but for corporate compliance officers whose programs,
  • 6. Metrics & Reporting 6 when scrutinized under the glare of 20-20 hindsight, may be found deficient.”1 It is possible that within a relatively short period, individual board members could be held legally liable for security failures. » Boards are being urged by the National Association of Corporate Directors to be more proactive in information security. The reality is that possibly for the first time, corporate boardrooms are taking cyber security seriously. The continuous flow of news of major security breaches in major companies is having an effect. Boards are asking: » How does our security stack up? » How do we compare with other companies in our sector? Without adequate security metrics to answer those questions in the language that Business understands, IT/Security will miss a major opportunity. ‘Communication is What the Receiver Does’ It is a tenet of communication that you have to listen. There are signs that Business is ready to listen. In July 2014 the National Association of Corporate Directors published a new handbook for its members: Cyber-Risk Oversight2 . Its advice to directors is organized around five key principles: 1. Directors need to understand and approach cyber security as an enterprise-wide risk management issue, not just an IT issue. 2. Directors should understand the legal implications of cyber-risks as they relate to their company's specific circumstances. 3. Boards should have adequate access to cyber security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. 4. Directors should set the expectation that management will establish an enterprise- wide, cyber-risk management framework with adequate staffing and budget. 5. Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach. 1 The Rise of 'Failure to Prevent' Crimes and CCO Liability; New York Law Journal (27 October 2014): http://newyorklawjournal.com/id=1202674374593 2 Cyber-Risk Oversight Handbook (free to NACD members): http://www.nacdonline.org/cyber
  • 7. a Failure in Communication 7 That last point highlights the need for discussion between IT/Security and the board. When the handbook was first published, Internet Security Alliance President Larry Clinton commented, "Most business leaders do not spend a lot of time talking about ISO standards and NIST framework. They talk about things like profitability, growth, innovation product development, price-to-earnings ratios. This publication, perhaps for the first time, attempts to put cybersecurity squarely within that business context." But while Business might be ready to listen, there remains a difficulty for IT/Security to speak in a language that it understands. What IT/Security is Doing IT/Security is taking a risk-based approach to defending systems; but it currently lacks the means to report the risk status to boards and internal business partners. “CISOs are measuring tactical things,” explains the Assessing IT Security Risks lead author, Bill Burns. “What metrics exist are events-driven: how much classified data was blocked from leaving the system; how many malware hits were stopped at the firewall or by the AV software. But there exists a huge disconnect between such activity-based metrics and rolling them up into ‘what is the impact of our security programs on the business’.” The problem, he suggests, is that there remains a tool-centric rather than risk-centric view of security—and the tools that are available rarely provide metrics that can be combined into an overall metrics-based company risk report suitable for delivery to the board. This leads to a failure of communication between IT/Security and Business—which is, says Burns, a major challenge for IT/Security. To a large degree this basic problem is a natural result of the security product market, which comprises a wide range of distinct point products. The natural desire to use a ‘best of breeds’ approach (that is, to use the best available solution for each separate risk) doesn’t lend itself to seamless security metrics. The extent of the problem can be seen in Figures 3 to 6, taken from the survey. The diversity of different products expected to be used in the next 3-5 years makes seamless and cohesive reporting across the whole security discipline difficult to achieve—and almost impossible in a format suitable to present to business management. This is unlikely to change within the next five years.
  • 8. Metrics & Reporting 8 Figure 3: Survey Question: Which endpoint-targeted security controls will be a top- priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014 Figure 4: Survey Question: Which mobility / IoT security control will be most important to your company in the next 3-5 years? Source: Wisegate, June 2014
  • 9. a Failure in Communication 9 Figure 5: Survey Question: Which of these Messaging, File/Doc Sharing controls will be a top priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014 Figure 6: Survey Question: Stack-rank these Infrastructure controls by which will be a top priority to you in the next 3-5 years. Source: Wisegate, June 2014
  • 10. Metrics & Reporting 10 This volume of different products makes communicating strengths and weaknesses in the corporate security profile in relation to business impact a difficult proposition. “Although this sounds harsh,” comments Burns, “it results in a failure of the security teams to communicate in business terms, and for business people to understand security. There’s a business gap—and it’s one of the biggest challenges I see for Security.” The Danger in Poor Communication The two primary dangers of poor communications are: » A continuing disconnect between Business and Security, leading to underfunding and weak policy implementation » A Business concentration on the one set of industry-wide metrics already available: compliance checklists Many security teams already believe they suffer from the first, and many more will increasingly come up against the latter. “I think we are finally at the point, with so many large scale breaches,” explains Burns, “that Business is taking Security seriously. Boards are ready to listen if we can learn their language to speak to them. What they want to know is, ‘are we doing everything we should be doing; and are we doing what our peers are doing?’” It is that latter point that leads Business to concentrate on compliance-based security. If the only metrics available are the compliance regulations, then conforming strictly to those requirements serves two purposes: firstly it provides a defense against any possible ‘failure to prevent’ legal challenges; and secondly it provides a likely ‘peer comparison’ point. Most security professionals do not believe that conforming to a compliance checklist provides the best possible security. However, unless Security can develop its own metrics and reporting, Business will inevitably increasingly rely on compliance instead—possibly to detriment of real security. What is IT/Security Doing About this Lack of Communication? IT/Security readily acknowledges that communication is a problem. “People accept that this is a problem, and talk about it,” comments Burns. “But not one of the survey participants could say, ‘I cracked the nut—this is what you have to do to communicate successfully.’”
  • 11. a Failure in Communication 11 It is a subject that frequently occurs in Wisegate roundtable discussions. For example, in a recent Wisegate Live Research call, one CISO with a large financial firm noted: “The higher you go, the more you need to be able to talk about business drivers in business language that business can understand. The thing that works best seems to be stories and analogies—they seem to be the best way to share information with the more senior individuals in your business.” —“What are the soft skills required for a career in IT and security?” Roundtable Talking, however, is not reporting, and stories are not metrics. The reality is that IT/Security mostly does little more than talk about the problem of metrics and reporting. What Should IT/Security Be Doing? The survey shows that IT/Security suffers from a lack of adequate metrics. This translates into poor communication between IT/Security and Business. In the short term this can be improved by IT/Security aggregating security point solutions to provide a seamless holistic risk rating; and then creating the metrics to demonstrate the impact of security on business. In the longer term, the problem provides an opportunity for security users and security vendors. As the move towards the adoption of security as a service (SaaS) solutions gathers pace, security teams can start to insist on the provision of usable metrics as part of the partner agreement.
  • 12. Metrics & Reporting 12 PHONE 512.763.0555 EMAIL info@wisegateit.com www.wisegateit.com Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.