1. Meaningful and useful Security metrics Vladimir Jirasek About.me/jirasek 5st Oct 2011
2. About me Security professional (11 years), current work at Nokia as Enterprise Security architect Founding member and steering group member of (Common Assurance Maturity Model) CAMM (common-assurance.com) Director of Research, CSA UK & Ireland I love reading books: thrillers (Clive Cusler) and business management (Jo Owen)
3. I will cover three topics today Information Security Model Metrics for CIO Metrics for Operations manager Metrics for CISO Metrics for CEO and the Board
4. Security model â business drives security Feedback: update business requirements International security standards Governance Input Line Management Security management Correction of security processes Laws & Regulations Product Management Process framework Policy framework Metrics framework Define Information Security Metrics objectives Information Security Processes Information Security policies Program Management Compliancerequirements Measured by Mandate Input Inform Information Security standards Risk & Compliance IT GRC Business objectives Technology People Services Assurance Information Security guidelines Define External security metrics Business impact Auditors Measure security maturity Execute security controls Define security controls Define Security management Business & information risks Security intelligence Security Services Security Professionals Input Security threats
5. Security metrics characteristics Measurable Objective Quantitative (ideally) Meaningful With KPIs attached â know what is good and bad Linked to business objectives â money speaks
6. Metrics for CIO â (1) Policy compliance and control maturity
7. Metrics for CIO â (2) Value at risk* Input Asset values Maturity of controls System weaknesses Threat information Output â most likely (probability distribution) ÂŁ value of total exposure that IT organisation is exposed to Inspiration in BASEL II Work in progress * Eq most likely Total Exposure
8. Metrics for Ops manager The morning dilema: âCan I have a coffee or is there something urgent to fix?â Suggested metrics: A number/percentage of systems outside SLA for fixing security weaknesses (both patches and configuration errors) â details of highly critical offenders â sorted by value at risk Security incidents that resulted in breached SLA (SLA is both time and ÂŁ value) And of course: Value at Risk Quiz: Is âA number of critical vulnerabilities good metric?â Answer: Not on its own!
9. Metrics for CISO Gartner: by 2014 IT GRC and eGRC will merge in 70% of organisations. Likely head: CISO Relevant metrics: Value at Risk â includes IT and other departments Compliance matrix ( same as for CIO) Annual risk reduction - Difference between VaR now and last year compared to money spent
10. Showing value for money End year review: We have spent more than the risk reduction but there were no incidents! VaR can also increase with new business processes and changes in regulatory and threat landscape.
11. Metrics for CEO and board Total exposure (ÂŁ) = Value at Risk indicator Unmanaged risk = likelihood there are risks that we do not know about = inverse of eGRC maturity
12. How do I know I have good metrics â metrics of metrics Decision effectiveness approach % of important management decisions that can be or have been influenced by double learning (i.e. revision and refinement of targets, measures, criteria, etc.) Investment approach % of security metrics costs for âexploratory/testingâ vs. total metrics cost Speed Cycle time from âSenseâ to âRespondâ for changing security metrics and management procedures. % of metrics that are collected and calculated automatically Cost Cost of changing security metrics and management procedures as % of total security management costs. Error % of security metrics that do not tie to any decisions or decision processes (over-shoot) % of decisions that have inadequate metrics support (under-shoot) % of metrics which have significant number of false signals
13. Summary Metrics need to include monetary value otherwise the business leaders will not understand why the metrics are collected and presented Security (and GRC in general) are here to keep the company risk at acceptable level â that needs to be measured Link security metrics to policy which is linked to business objectives Boards do not like âun-managed riskâ Measure the metrics
Hinweis der Redaktion
This model is used to link security technologies reference model and blueprints to business requirementsAll security technology must support at least one information security process otherwise should be deployedBy linking requirements to policies to processes and to technologies we can be assured that technologies we deploy are justifiable and, at the same time, we know there should be no gapsInformation Security is a journey not a project and needs to be treated accordinglyInformation Security Policy is driven by business, legal and regulatory requirements which then mandates what security processes must and should be implementedIT Security policy is based on ISF Standard of Good Practice (SoGP) which maps to major regulatory and international standardsSecurity processes are run by People using Technology and report to Information Security Centre where data is correlated, normalised and available for management decisions, all in appropriate level of detail for audienceThe effectiveness of security processes is measured by Internal security metrics that are based on accepted best practice metrics, hence Nokiaâs information security status can be compared with other companies