Security is necessary–nobody will really argue that. Effective security, on the other hand, goes beyond filling a requirement with the least effort (or investment) possible. Effective security enhances and facilitates business processes and helps the organization meet goals and drive revenue. In order to implement that kind of security, though, you have to be able to present a solid business case illustrating why the security is necessary and how it will help the company. And to do that you have to gather the right metrics to build the business case:
What’s the point, really? You’ve dedicated terabytes of storage to capture insane volumes of log data, but for what? Yes, you can distill the highlights which make you look good and drop them in your reports. Be warned that those types of vanity metrics don’t provide any real value. Use the right security metrics in the right way, and you can clearly illustrate the issues.
And that’s how you drive change for your organization.
Security metrics give you the tools to change user behavior and to build a case for the kind of changes you want to make to the organization’s security posture. Use metrics to illustrate how a given behavior or security control is working (or not, as the case may be) and justify how or why it should be changed.
It’s often particularly hard to get budget allocated for security in the first place or justify continued investment in security. The problem is that security doesn’t typically generate income—it’s just a “necessary evil”—and the better job you do at protecting your network and data the less obvious it is that security is necessary at all. If there’s never any malware outbreak or data breach it’s easy for management to become complacent and wonder why the company is spending so much money on security.
When I was at EDS working as a consultant managing security at General Motors we used to show the IT managers at GM stories about its competitors being breached or compromised in order to demonstrate and stress that the reason it was a rival company in the news instead of them is because of the investment being made in security. We had to have some way to justify the money they were paying us. A security incident might validate the need for security but get you fired at the same time for failing to prevent it.
What would have worked better would have been gathering the appropriate security metrics to demonstrate the value we were bringing to the table. Security metrics are an ideal way to build a business case for security tools and policies. You just have to make sure you’re capturing the right data to make the point you’re trying to make.
How many security incidents impact your organization on an annual or monthly basis? What is the mean time to recovery—how long does it take on average to resolve a security incident and resume normal business operations? What is the financial impact to the organization of the lost productivity associated with security incidents?
You can see the complete post on the RSA Conference blog: Security Metrics to Drive Change.