SlideShare ist ein Scribd-Unternehmen logo

Meaningfull security metrics

‱Als PPTX, PDF herunterladen‱
‱
Vladimir Jirasek
Vladimir Jirasek

A presentation slides given at NetFocus 2011 in Bournemouth.

BusinessTechnologie
1 von 13
Meaningful and useful Security metrics Vladimir Jirasek About.me/jirasek 5st Oct 2011
About me Security professional (11 years), current work at Nokia as Enterprise Security architect Founding member and steering group member of (Common Assurance Maturity Model) CAMM (common-assurance.com) Director of Research, CSA UK & Ireland I love reading books: thrillers (Clive Cusler) and business management (Jo Owen)
I will cover three topics today Information Security Model Metrics for CIO Metrics for Operations manager Metrics for CISO Metrics for CEO and the Board
Security model – business drives security Feedback: update business requirements International security standards Governance Input Line Management Security management Correction of security processes Laws & Regulations Product Management Process framework Policy framework Metrics framework Define Information Security Metrics objectives Information Security Processes Information Security policies Program Management Compliancerequirements Measured by Mandate Input Inform Information Security standards Risk & Compliance IT GRC Business objectives Technology People Services Assurance Information Security guidelines Define External security metrics Business impact Auditors Measure security maturity Execute security controls Define security controls Define Security management Business & information risks Security intelligence Security Services Security Professionals Input Security threats
Security metrics characteristics Measurable Objective Quantitative (ideally) Meaningful With KPIs attached – know what is good and bad Linked to business objectives – money speaks
Metrics for CIO – (1) Policy compliance and control maturity
Metrics for CIO – (2) Value at risk* Input Asset values Maturity of controls System weaknesses Threat information Output – most likely (probability distribution) £ value of total exposure that IT organisation is exposed to Inspiration in BASEL II Work in progress * Eq most likely Total Exposure
Metrics for Ops manager The morning dilema: “Can I have a coffee or is there something urgent to fix?” Suggested metrics: A number/percentage of systems outside SLA for fixing security weaknesses (both patches and configuration errors) – details of highly critical offenders – sorted by value at risk Security incidents that resulted in breached SLA (SLA is both time and £ value) And of course: Value at Risk Quiz: Is “A number of critical vulnerabilities good metric?” Answer: Not on its own!
Metrics for CISO Gartner: by 2014 IT GRC and eGRC will merge in 70% of organisations. Likely head: CISO Relevant metrics: Value at Risk – includes IT and other departments Compliance matrix ( same as for CIO) Annual risk reduction - Difference between VaR now and last year compared to money spent
Showing value for money End year review: We have spent more than the risk reduction but there were no incidents! VaR can also increase with new business processes and changes in regulatory and threat landscape.
Metrics for CEO and board Total exposure (ÂŁ) = Value at Risk indicator Unmanaged risk = likelihood there are risks that we do not know about = inverse of eGRC maturity
How do I know I have good metrics – metrics of metrics Decision effectiveness approach % of important management decisions that can be or have been influenced by double learning (i.e. revision and refinement of targets, measures, criteria, etc.) Investment approach % of security metrics costs for “exploratory/testing” vs. total metrics cost Speed Cycle time from “Sense” to “Respond” for changing security metrics and management procedures. % of metrics that are collected and calculated automatically Cost Cost of changing security metrics and management procedures as % of total security management costs. Error % of security metrics that do not tie to any decisions or decision processes (over-shoot) % of decisions that have inadequate metrics support (under-shoot) % of metrics which have significant number of false signals
Summary Metrics need to include monetary value otherwise the business leaders will not understand why the metrics are collected and presented Security (and GRC in general) are here to keep the company risk at acceptable level – that needs to be measured Link security metrics to policy which is linked to business objectives Boards do not like “un-managed risk” Measure the metrics

Empfohlen

Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
Jack Nichelson
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
Priyanka Aash
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 

Empfohlen

Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
Jack Nichelson
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
Priyanka Aash
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
Dennis Chaupis
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
Andreas Sfakianakis
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
CISSP Cheatsheet.pdf
CISSP Cheatsheet.pdfCISSP Cheatsheet.pdf
CISSP Cheatsheet.pdf
shyedshahriar
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics Program
Cydney Davis
 
Soc
SocSoc
Soc
Mukesh Chaudhari
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Tuan Phan
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005
Anton Chuvakin
 
ISAA
ISAAISAA
ISAA
Osmania University
 

Weitere Àhnliche Inhalte

Was ist angesagt?

Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
Andreas Sfakianakis
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 

Was ist angesagt? (20)

Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
 
CISSP Cheatsheet.pdf
CISSP Cheatsheet.pdfCISSP Cheatsheet.pdf
CISSP Cheatsheet.pdf
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics Program
 
Soc
SocSoc
Soc
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 

Ähnlich wie Meaningfull security metrics

Security Governance by Risknavigator 2010
Security Governance by Risknavigator 2010Security Governance by Risknavigator 2010
Security Governance by Risknavigator 2010
Lennart Bredberg
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
PECB
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 

Ähnlich wie Meaningfull security metrics (20)

Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005
 
ISAA
ISAAISAA
ISAA
 
Presenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamPresenting Metrics to the Executive Team
Presenting Metrics to the Executive Team
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance Brochure
 
Security Governance by Risknavigator 2010
Security Governance by Risknavigator 2010Security Governance by Risknavigator 2010
Security Governance by Risknavigator 2010
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
 
Risk Product.pptx
Risk Product.pptxRisk Product.pptx
Risk Product.pptx
 
Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2
 
Secure Software Development Models and Methods integrated with CMMI.ppt
Secure Software Development Models and Methods integrated with CMMI.pptSecure Software Development Models and Methods integrated with CMMI.ppt
Secure Software Development Models and Methods integrated with CMMI.ppt
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessment
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
Taubenberger
TaubenbergerTaubenberger
Taubenberger
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
Visual Risk Iq + Audimation Deck For Charlotte Iia For Pdf Only
Visual Risk Iq + Audimation Deck For Charlotte Iia For Pdf OnlyVisual Risk Iq + Audimation Deck For Charlotte Iia For Pdf Only
Visual Risk Iq + Audimation Deck For Charlotte Iia For Pdf Only
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
 

Mehr von Vladimir Jirasek

2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
Vladimir Jirasek
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
Vladimir Jirasek
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risks
Vladimir Jirasek
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
Vladimir Jirasek
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
Vladimir Jirasek
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
Vladimir Jirasek
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityFederation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single Identity
Vladimir Jirasek
 

Mehr von Vladimir Jirasek (17)

Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London Gathering
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risks
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityFederation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single Identity
 

KĂŒrzlich hochgeladen

Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
amitlee9823
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
uneakwhite
 
Call Girls In Noida 959961âŠč3876 Independent Escort Service Noida
Call Girls In Noida 959961âŠč3876 Independent Escort Service NoidaCall Girls In Noida 959961âŠč3876 Independent Escort Service Noida
Call Girls In Noida 959961âŠč3876 Independent Escort Service Noida
dlhescort
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
Matteo Carbone
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Dipal Arora
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
amitlee9823
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
ritikaroy0888
 
Chandigarh Escorts Service 📞8868886958📞 JustđŸ“Č Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 JustđŸ“Č Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 JustđŸ“Č Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 JustđŸ“Č Call Nihal Chandigarh Call Girl...
Sheetaleventcompany
 

KĂŒrzlich hochgeladen (20)

Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
Call Girls In Noida 959961âŠč3876 Independent Escort Service Noida
Call Girls In Noida 959961âŠč3876 Independent Escort Service NoidaCall Girls In Noida 959961âŠč3876 Independent Escort Service Noida
Call Girls In Noida 959961âŠč3876 Independent Escort Service Noida
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
Phases of negotiation .pptx
Phases of negotiation .pptx Phases of negotiation .pptx
Phases of negotiation .pptx
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptBusiness Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture concept
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 
John Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfJohn Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdf
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
Chandigarh Escorts Service 📞8868886958📞 JustđŸ“Č Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 JustđŸ“Č Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 JustđŸ“Č Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 JustđŸ“Č Call Nihal Chandigarh Call Girl...
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 

Meaningfull security metrics

  • 1. Meaningful and useful Security metrics Vladimir Jirasek About.me/jirasek 5st Oct 2011
  • 2. About me Security professional (11 years), current work at Nokia as Enterprise Security architect Founding member and steering group member of (Common Assurance Maturity Model) CAMM (common-assurance.com) Director of Research, CSA UK & Ireland I love reading books: thrillers (Clive Cusler) and business management (Jo Owen)
  • 3. I will cover three topics today Information Security Model Metrics for CIO Metrics for Operations manager Metrics for CISO Metrics for CEO and the Board
  • 4. Security model – business drives security Feedback: update business requirements International security standards Governance Input Line Management Security management Correction of security processes Laws & Regulations Product Management Process framework Policy framework Metrics framework Define Information Security Metrics objectives Information Security Processes Information Security policies Program Management Compliancerequirements Measured by Mandate Input Inform Information Security standards Risk & Compliance IT GRC Business objectives Technology People Services Assurance Information Security guidelines Define External security metrics Business impact Auditors Measure security maturity Execute security controls Define security controls Define Security management Business & information risks Security intelligence Security Services Security Professionals Input Security threats
  • 5. Security metrics characteristics Measurable Objective Quantitative (ideally) Meaningful With KPIs attached – know what is good and bad Linked to business objectives – money speaks
  • 6. Metrics for CIO – (1) Policy compliance and control maturity
  • 7. Metrics for CIO – (2) Value at risk* Input Asset values Maturity of controls System weaknesses Threat information Output – most likely (probability distribution) ÂŁ value of total exposure that IT organisation is exposed to Inspiration in BASEL II Work in progress * Eq most likely Total Exposure
  • 8. Metrics for Ops manager The morning dilema: “Can I have a coffee or is there something urgent to fix?” Suggested metrics: A number/percentage of systems outside SLA for fixing security weaknesses (both patches and configuration errors) – details of highly critical offenders – sorted by value at risk Security incidents that resulted in breached SLA (SLA is both time and ÂŁ value) And of course: Value at Risk Quiz: Is “A number of critical vulnerabilities good metric?” Answer: Not on its own!
  • 9. Metrics for CISO Gartner: by 2014 IT GRC and eGRC will merge in 70% of organisations. Likely head: CISO Relevant metrics: Value at Risk – includes IT and other departments Compliance matrix ( same as for CIO) Annual risk reduction - Difference between VaR now and last year compared to money spent
  • 10. Showing value for money End year review: We have spent more than the risk reduction but there were no incidents! VaR can also increase with new business processes and changes in regulatory and threat landscape.
  • 11. Metrics for CEO and board Total exposure (ÂŁ) = Value at Risk indicator Unmanaged risk = likelihood there are risks that we do not know about = inverse of eGRC maturity
  • 12. How do I know I have good metrics – metrics of metrics Decision effectiveness approach % of important management decisions that can be or have been influenced by double learning (i.e. revision and refinement of targets, measures, criteria, etc.) Investment approach % of security metrics costs for “exploratory/testing” vs. total metrics cost Speed Cycle time from “Sense” to “Respond” for changing security metrics and management procedures. % of metrics that are collected and calculated automatically Cost Cost of changing security metrics and management procedures as % of total security management costs. Error % of security metrics that do not tie to any decisions or decision processes (over-shoot) % of decisions that have inadequate metrics support (under-shoot) % of metrics which have significant number of false signals
  • 13. Summary Metrics need to include monetary value otherwise the business leaders will not understand why the metrics are collected and presented Security (and GRC in general) are here to keep the company risk at acceptable level – that needs to be measured Link security metrics to policy which is linked to business objectives Boards do not like “un-managed risk” Measure the metrics

Hinweis der Redaktion

  1. This model is used to link security technologies reference model and blueprints to business requirementsAll security technology must support at least one information security process otherwise should be deployedBy linking requirements to policies to processes and to technologies we can be assured that technologies we deploy are justifiable and, at the same time, we know there should be no gapsInformation Security is a journey not a project and needs to be treated accordinglyInformation Security Policy is driven by business, legal and regulatory requirements which then mandates what security processes must and should be implementedIT Security policy is based on ISF Standard of Good Practice (SoGP) which maps to major regulatory and international standardsSecurity processes are run by People using Technology and report to Information Security Centre where data is correlated, normalised and available for management decisions, all in appropriate level of detail for audienceThe effectiveness of security processes is measured by Internal security metrics that are based on accepted best practice metrics, hence Nokia’s information security status can be compared with other companies