Do you have an information security practice? How do you measure its effectiveness? By the number of tickets generated? The number of viruses found and stamped out? Or by how quiet it is?—"If they don't bother me, they must be doing their job!"
Have the security metrics guidelines changed in the last few years as infosec moved away from a helpdesk mentality, towards a penetration tester's mentality with a business focus?
Past Measurements
Years ago, information security metrics relied on ticket counting. The fewer tickets there were, the better a job the security staff was doing. While that was not a bad way to start, it certainly doesn't give the whole picture.
It doesn't count the failed attempts, the successful stealthy attacks, or even the ongoing efforts to improve security. It just counts when people or systems notice something and sounded an alert. Plus, collating and correlating anything was manual, and prone to problems. Tickets were often manually entered. Keeping verbiage consistent was an exercise in futility. Correlating data in different formats was almost impossible.
Current Measurements
SIEM (security incident and event management) helps organizations collect data they can use for security metrics. A good SIEM product correlates events, teases out meaning from different types of data, and organize data into similar formats. We add port scans, exfiltration attempts, VPN logins, and many other data points collected from routers, switches, firewalls, servers, logs, and IDS/IPS systems. It's one way to approach security metrics.Another approach relies on Big Data analytics. Big Data systems collect data from multiple sources and analyze disparate pieces of data to find correlations. Being able to analyze and correlate the results, not just from a single system over time, but from multiple systems over time and against multiple baselines, provides a much more sensitive net of detection.
Cross-correlations also provide much deeper justification for budgets, as it can be objectively proven that although it may be quiet, the reason it is quiet is that the IDS/IPS, firewall, web filter, email virus scanners, anti-malware software, and every other piece of security kit is working and keeping the enterprise safe.
Utilizing security metrics can give infosec professionals a better handle on the company's security posture. Penetration tests establish the organization's baseline security. If the systems can see the tests and respond accordingly, they should be able to see and respond to malicious activity. That's a much more holistic view of the environment, with a greater focus on business, which also translates to compliance.
How Does This Help?
So how does this help enterprises, both large and small?
Metrics are some of the most important numbers associated with information security, although some would argue that the budget is a slightly more important number. Notwithstanding that the budget is a metric in and of itself, metrics are vital not just to the budgeting process, but to the entire business focus of information security.
If you understand what to measure and how to measure it, the security team can successfully support compliance initiatives, overcome regulatory and legal challenges, and truly understand the environment that has been created over the years. If, on the other hand, metrics are still measuring Infosec's ticket performance numbers like a glorified helpdesk, the answer might be, "Budget? What budget?"