Promoting efficiencies through security metrics

Creating metrics for a security program can be a challenge for many organizations. Troy Leach, CTO of Payment Card Industry Security Standards Council, discusses best practices for creating meaningful security metrics.

While the end of the year is a time to reflect on our past accomplishments and possible seconds at family gatherings, it also is a time when we prepare our strategic objectives for the upcoming year. 

For security objectives associated with PCI DSS requirements, we may overlook some key performance indicators for healthy organizations that are a result of good security. Often the default metrics are items such as passing a Report on Compliance or implementing new technology to reduce overall risk. But are we overlooking other benefits?

Good security hygiene requires disciplined consistency. That consistency inherently creates organizational efficiency. An efficiency we can demonstrate as security leaders helps reduce cost, improve resource management while reducing overall risk. Whether it is by better use of automation or redesign of information flow, we should be able to articulate the corporate value of infosec changes beyond simply risk management benefits. 

Take for instance a company with a help desk with five individuals responsible solely for addressing malware on all devices. After implementing improvements in the process for malware detection and prevention, perhaps the help desk tickets are reduced enough to re-allocate three of those IT staff to other assignments. 

The key is to identify those examples and track metrics early and often. 

[ ALSO ON CSO: Remain paranoid, err vigilant, with online security in 2017 ]

The importance of good metrics will only increase over time as data security matures. Looking at the model of cybersecurity insurance, for example, we can see the benefit of certain key performance indicators that can be used to differentiate a company from its peers. As a result, the organization could realize lower premiums or better coverage.

Additionally, for those responsible for PCI DSS or similar assessments should continuously challenge themselves to leverage good metrics to identify improvements for not only security posture but to reduce the level of effort to demonstrate compliance in the future. For example, can the organization: 

    • Increase the average number systems patched with critical security updates within 30 days?
    • Reduce number of systems with access to cardholder data? (Note: The Council recently released Guidance for PCI DSS Scoping and Network Segmentation to help with this process.)
    • Increase the percentage of staff with application security training?
    • Increase the percentage of software subject to dynamic code analysis?
    • Increase the number of third-party vendor agreements that include security language?

More importantly, if asked, could you measure some of the above statistics today and demonstrate the accomplishment?

The key is to make the metrics something that is relevant for your organization. NIST 800-55 is a great resource for how to develop metrics that are quantifiable, readily obtainable, repeatable and useful.

  • Quantifiable means that the metrics are percentages, averages and other indisputable numbers that don’t change from one assessor to the next. 
  • Readily obtainable means that it makes sense from an expense perspective to collect such data. 
  • Repeatable so that you have consistent measurements that can be compared for improvement over time. 
  • And useful so that you are only performing the exercise of collecting data for those items which result in a possible action.

When you have good metrics to rely on, you can gain a better understanding of where your time should be invested the following year when it comes to actual governance:

  • Do certain departments fail internal audits with a higher consistency?
    • Perhaps more education is required for certain groups or a department should identify someone from within to champion security.
  • Comparing multi-year reports, are certain PCI DSS requirements regularly more difficult to achieve?
    • Perhaps the company focuses investment next year on more resources and technology to improve that specific area.

In this time of reflection and resolutions, we must ask ourselves how we can improve our chances for success. Not only to better protect data but operate with better information to increase consistency and efficiency of our security practices in the year ahead. Taking the time to identify and design the right measurement goals is a good first step.

Copyright © 2017 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations