Metrics: More than numbers
By definition, metrics are ‘parameters or measures of quantitative assessment used for measurement, comparison or to track performance or production.’
When it comes to an organization’s network infrastructure, and even its security, metrics are a powerful indicator of how well, or badly, the enterprise is at responding to a given situation.
The reason many organizations fall short when using metrics is miss-communication. IT will often deliver reports detailing user access, permission structures and patch management timetables when justifying additional budgets.
A request for extra storage is made under the guise of gigabytes, terabytes and petabytes. Even orders for desktop computers, tablets and smartphones are complicated by a myriad of confusing acronyms and abbreviations.
While on the surface it all sounds plausible, and perhaps vitally important, what does it actually mean? The reality is, not a lot. Instead, of blindly accepting the proposal, CEOs need to demand comprehensible reports from the IT team, framed against the mission of the organization.
Let’s start by looking at one metric that is often tracked, but has little relevance as a management metric - the cost of the security program. In reality there is little correlation between cost and security. For example, if I halved the security budget would I be half as secure? Or equally if I doubled the budget would I be twice as secure? Of course not - infosecurity doesn’t work like that, unfortunately.
Security is not just the remit of the CISO but is a team effort. Any decisions need to be made with a cross-functional view – senior management, business units, sales, marketing, legal, customer support etc. so that everyone knows the part they play, and IT understand how to weave all the disparate elements together.
As an illustration, a large US retailer defines its CISO’s mission as:
- Insure our site is available to our customers when they want to shop
- Insure that our customers feel safe and secure as they shop with us
- Insure that our customers' information is safe with us at all times
- Insure that we satisfy the necessary legal, regulatory or internal requirements so that we remain a viable business.
The unrealistic goal
Many executive teams set their CISO up for failure – setting the ‘mission’ as zero breaches. In the real world, things will happen, vulnerabilities will be exploited, and the organization may suffer a breach in spite of their best efforts. With ‘zero breaches’ as the target, your CISO will either fail or resign first.