One of the greatest knocks on the information security profession is that IT security is always asking for budget to spend against the latest threat, only to abandon the cause like harried firefighters, jumping from one conflagration to the next.
Viruses, worms, spam, network access control, data leaks, botnets. Enterprises have been urged to invest in technology to address a litany of critical security issues in the past decade. But how many of those investments have paid off? The answer, many contend, is for enterprises to start basing IT security decisions on sound measurement, rather than hype.
“Our industry has been plagued by a lack of data, in fact we still argue on what data is useful and what data isn’t so useful when it comes to managing risk,” say Alex Hutton, research and intelligence, principal at Verizon Business.
There’s an old business adage that one can’t manage what isn’t measured, and it’s probably a smart assumption that such good sense applies to information security. It’s also apparent, based on this reporter’s talks with many organizations over the past six months, that most businesses have yet to start measuring much of anything when it comes to their IT security program.
“Measuring your environment helps you to do a number of things that you couldn’t do otherwise,” adds Hutton. “You can move away from uncertainty and closer to certainty in your decisions, find best evidence to prove or disprove your assumptions, and make better decisions as a result,” he says.
So where to start? The answer to that question varies from organization to organization says Pete Lindstrom, research director at Spire Security. “You start with trying to figure out what questions you want answers to,” he says. “That can be straightforward operational metrics, such as figuring out how much various activities cost. It can also be more risk-oriented, such as how many vulnerabilities are present per asset,” Lindstrom explains.
A likely place to start, says Lindstrom, is to focus on those operations metrics that could help to boost the performance of security teams. “If you are looking to optimize your spending, you may want to lay out a set of security tasks you perform on a recurring basis and examine their costs. These could range from policy creation, user account management, virtually any operational task or change,” he says.
That kind of concrete accounting around security spend is still rare within organizations, experts say. Organizations today don’t know how much they spend on the most routine of tasks, such as managing user digital identities.
“Too often when an organization starts a risk management program by making up funny numbers at the start,” contends Hutton.
“Once you understand how much it costs currently for such tasks, you get a better notion of how much it could cost using an automated solution, or keeping functions in-house verse outsourcing,” Lindstrom says.
Using metrics can also help to clear away the Fear, Uncertainty, and Doubt (FUD) that surround so many decisions and vendor product and service pitches, Hutton contends. “The big benefit of managing risk based on evidence is that it’s a FUD killer, and helps security professionals make better decisions through better evaluation of vendor claims and organizational risk,” he says.
Helping organizations better understand their risk is one of the reasons why Verizon created the Verizon Enterprise Risk and Incident Sharing (VERIS) framework and application. The VERIS framework acts as a common language that can be used by organizations to consistently describe security incidents. Using VERIS, organizations can anonymously report security incidents that can be shared with others in the VERIS community, Hutton says.
“Information sharing, where you get helpful analytics in return for sharing, helps drive better risk-based decisions,” Hutton says.
“Consider an incident where you have an external hacker using custom malware. You find out through VERIS that it’s a common, or perhaps an uncommon, incident. You can take that data and then show your boss that those attacks are common, and worth investing in better database security,” he says. “If it’s not common, you need to decide if you want to spend money on uncommon attacks. That’s how metrics facilitate more intelligent risk management,” Hutton says.