It's been more than 15 years since my identity, bank account, and credit history were taken hostage by some folks in the Bronx. By one set of security metrics, last year was a good year because there was no repeat failure.
I've used "fraud alerts" on accounts to notify me in case of improper activity and been vigilant about credit reports and monitoring FICO scores, but I don't know if I'm any safer. It's like telling people you're a great driver just because you haven't had an accident. There's no clear cause and effect, but you assume based on absence of information.
For a lot of companies, budget is the yardstick for IT security metrics. When spending increases, security must be greater—especially if there's been no crisis. But then after years without an incident, the spending perhaps can be cut back because it must be enough.
Security metrics is a hot-button issue, but the causes vary widely within departments or organizations. Knowing how many threats are out there is just one unit of measurement. Then evaluating the severity or persistence are others—no single measure is complete, but everyone has to decide how many to watch.
The Trustworthy Internet Movement set up and funded by Qualys CEO Philippe Courtot in 2012 aims to coordinate a worldwide community to advance innovations. Contributors can add preferred security metrics that IT teams can present to the business. It can be challenging finding proven metrics—not "possible" scenarios—where non-experts can understand and appreciate risks.
One starting place is ranking risks: desktop machines or servers with no Web connection or for internal use have a lower risk than laptops and tablets used for remote work. Different risks require customized approaches. So, people and machines most at risk get top priority for training, advanced security, and attention. And that differentiated method saves time and money, deploying resources where they have the greatest return on investment.
Using peer research from comparably-sized companies is one way of benchmarking. Another is to identify major threats that your organization was able to avoid. Days without an accident is a proofpoint of safety in the construction industry. How many days without a worm, virus, malware, or hack attack can be an objective measure of security effectiveness?
Your business and sensitivity of data also determines risk, Qualys found. Not surprisingly, finance and retail companies were more likely and persistent targets compared with worksites that might not have data that could be resold at a profit. This is why bank robbers choose banks, according to famed bank robber Willie Sutton, because "that's where the money is."
"Crying wolf" about security is how some jaded executives see the spending when they haven't been directly affected by a problem. That's another reason for consistent metrics to communicate effectively with senior executives.
Communication may be one of the biggest challenges to chief information security officers (CISOs) who benefit from using security metrics to influence business leadership.
Security professionals have traditionally viewed metrics as valuable operational data, while executives look at more subjective details such as spending, data loss value, or reputational risk. Ask your executive team for a "worst-case scenario" around data or network breach, and those metrics can be a proofpoint moving forward.
With a diverse scorecard, you can say with certainty that you really are safer than last year.