Field Research: Security Metrics Programs



Similar documents
2012 National BDPA Technology Conference. Defining Project and PMO Metrics

Leveraging Network and Vulnerability metrics Using RedSeal

The Value of Vulnerability Management*

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Vulnerability management lifecycle: defining vulnerability management

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

Information Risk Management. Alvin Ow Director, Technology Consulting Asia Pacific & Japan RSA, The Security Division of EMC

Metrics that Matter Security Risk Analytics

End-user Security Analytics Strengthens Protection with ArcSight

Improving Residual Risk Management Through the Use of Security Metrics

Vulnerability Management

STREAM Cyber Security

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Risk Management Frameworks

Extreme Networks Security Analytics G2 Vulnerability Manager

THE TOP 4 CONTROLS.

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Benchmark Against Best Practice Service Delivery Metrics

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

2011 Forrester Research, Inc. Reproduction Prohibited

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

How Boards of Directors Really Feel About Cyber Security Reports. Based on an Osterman Research survey

Pragmatic Metrics for Building Security Dashboards

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Improving Network Security Change Management Using RedSeal

Audit of Project Management Governance. Audit Report

Best Practices for Building a Security Operations Center

Alliance Scorecarding and Performance Management at TechCo. A Vantage Partners Case Study

Leveraging a Maturity Model to Achieve Proactive Compliance

What is Penetration Testing?

DATA AUDIT: Scope and Content

A Practical Guide to Improving PCI Compliance Posture

ITSM Maturity Model. 1- Ad Hoc 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimizing No standardized incident management process exists

RSA Data Loss Prevention (DLP) Understand business risk and mitigate it effectively

Regulatory Compliance Management for Energy and Utilities

Enabling Security Operations with RSA envision. August, 2009

Total Protection for Compliance: Unified IT Policy Auditing

Building a Data Quality Scorecard for Operational Data Governance

Project Management and ITIL Transitions

Best Practices to Improve Breach Readiness

FIVE PRACTICAL STEPS

A proven 5-step framework for managing supplier performance

CISOs Discuss Best Ways to Gain Budget and Buy-in for Security

IT Risk & Security Specialist Position Description

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

IT Governance. What is it and how to audit it. 21 April 2009

Trend Micro Healthcare Compliance Solutions

Measuring The Value of Information Security. Maninder Bharadwaj 23 th July 2011

Risk & Innovation in Cybersecurity Investments. Sponsored by Lockheed Martin

NEC Managed Security Services

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Enhancing Outsourcing Relationship Management Capabilities: Driving Greater Value from AllianceBernstein s Global Operations

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Discover what the power of one service provider can do for your bank.

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

ANALYTICS. Acxiom Marketing Maturity Model CheckPoint. Are you where you want to be? Or do you need to advance your analytics capabilities?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

ITIL V3 Foundation Certification - Sample Exam 1

Blending Corporate Governance with. Information Security

RESEARCH NOTE CYBER-ARK FOR PRIVILEGED ACCOUNT MANAGEMENT

Symantec Control Compliance Suite Standards Manager

Managed Services. Business Intelligence Solutions

Information Technology Solutions

Establish Collaborative Strategies to Better Manage a Global Vendor Network Devise a Proper Float Plan

Symantec DLP Overview. Jonathan Jesse ITS Partners

10 Best-Selling Modules For Home Information Technology Professionals

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

Security Operations Metrics Definitions for Management and Operations Teams

IT Security & Compliance. On Time. On Budget. On Demand.

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015

White paper. Creating an Effective Security Operations Function

Governance, Risk, and Compliance (GRC) White Paper

Planning for and implementing security logging

Intelligence Driven Security

CloudCheck Compliance Certification Program

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh

Transcription:

Ramon Krikken Analyst Security and Risk Management Strategies Burton Group Field Research: Security Metrics Programs All Contents 2009 Burton Group. All rights reserved.

Security Metrics Programs 2 Field Research: process, timeline, and demographics Focus on security governance and management topics In-depth interviews with senior-level security management Spanning 30 organizations; 25 in North America, 5 in Europe Private sector only; no government or educational institutions Interviews conducted between February and April 2009 Financial Services 7 Insurance 2 Computer HW/SW 4 Pharmaceuticals 2 Health Care 3 Transportation 2 Retail 3 Travel 1 Manufacturing 3 Media 1 Energy 2

Security Metrics Programs 3 Summary of findings Frameworks for metrics programs vary greatly Metrics programs are at varying levels of maturity A wide range of measurements is collected A limited range of metrics is reported to management Perceived success often related to business / culture Metrics programs are increasingly formalized

Security Metrics Programs 4 Most participants act on perceived utility Risk metrics measured at various levels, during projects and for existing processes and infrastructure Incident metrics measuring rates of occurrence, impact to the organization, and resolution efforts Operational metrics measuring a variety of processes and technologies on status, effectiveness, and efficiency Compliance metrics relating to performance in the previous categories Visible trend towards formal metrics programs and review boards, but maturity and the perceived success of the program wildly vary

Security Metrics Programs 5 Some participants speak about perceived futility No one has ever been able to measure security executives only care about the incidents that impact the business. Success is really binary it was prevented or not. If there's no impact, then no one cares that it was prevented. Quantitative measurements of security can't be done. Exhibited in two ways: what metrics are collected by whom, and how they are (or are not) communicated to executive management

Security Metrics Programs 6 Framework for Metrics Program Organizations vary in metrics program focus Some security groups focus on results/outputs Some groups focus on controls and compliance Technical metrics relate to exceptions and are generated by tools SLAs are used to set targets that are subsequently tracked Economic model may be used to assess effectiveness of controls Value of metrics can be hard to show in business context If the business continues to run then that s success Cannot always easily connect security success and failures with impact on the business goals (particularly in certain verticals) Showing ROI, other than cost savings, is still hard for many

Security Metrics Programs 7 Low-level security metrics and measurements Low level metrics are produced by security tools, such as SIEM, vulnerability management, DLP, etc: Number of laptops protected with full drive encryption Number of fully patched systems How quickly patches are deployed How long it takes to remediate a vulnerability Number of vulnerabilities per line of application code Audit finding mitigation in place Results of vulnerability scans Number of malware/virus incidents Percentage of systems with latest AV signatures Number of trouble tickets concerning security Number of DLP policy violations

Risk metrics Security Metrics Programs 8 Risk metrics tend to be subjective and hard to quantify Lack of formal risk metrics and process in some organizations Likelihood information is often inaccurate Relative risk is easier to work with than absolute risk Map to industry best practices whenever possible Metric thresholds and dashboards help to focus (red, yellow, green) Results of assessments and audits are important metrics Several organizations measure themselves by improvement Benchmarking is mentioned, but only by few organizations Exceptions to policies and standards are tracked As expected, interpretation of risk is highly contextual

Incident metrics Security Metrics Programs 9 Many organizations (as expected) track incidents Data breach metrics sometimes assigned a dollar cost No strong indications of benchmarking However, not all organizations view things the same way Definitions of what is an incident vary at the detail level Some definitions are text-book, others more contextualized Business context again determines what matters Several interviewees commented that management does not necessarily care about all incidents; only about business impact

Security Metrics Programs 10 Metrics and measurements reported to management Number of security assessments performed Exceptions to compliance policies Application risk scores Internal and external audit findings Security awareness attestations, surveys, and test results Incidents and related costs Satisfaction surveys Compliance with internal and external service level agreements (SLAs) such as for security operations requests Security group budget and accuracy of project cost estimates Status of active security projects Payment Card Industry Data Security Standard (PCI DSS) compliance status and dates met

Security Metrics Programs 11 Metrics reporting and use Tactical operational security metrics are reported on weekly/monthly basis Operational or technical security metrics are used within IT security organization and IT Operations, but are not useful to senior execs Several cases where CISO explicitly notes management is not interested in operational metrics or even security incident metrics Security status and security project status are often visible to senior management and board oversight groups Focus on how well policy and controls are implemented Results of awareness testing, assessments, and audit findings Identify compliance exceptions or important operational incidents

Security Metrics Programs 12 Relationship to Compensation Metrics that can show performance improvement are more visible and may impact compensation/bonus Personal and team objectives per role, but not tied to incident metrics Security organization objectives for improvement and team bonus may be tied to metrics/dashboard Several cases where this is tied to security operations efficiency Other cases where it is tied to security budget management In some cases CISO compensation is based both on hard numbers and assessment by peers In one case a survey was used to assess alignment with the business One CISO noted this relates to how others [business] feel about security

Security Metrics Programs 13 Reporting, tools, and dashboards Organizations are moving towards greater automation in their metrics programs Some examples where Archer s suite is used to aggregate metrics data from other sources Some use of dashboards that are based on internal spreadsheets Manually compiled from variety of sources, including security tools Spreadsheets are still at the top of data management for metrics! Scorecards that assess BUs or sites against a set of controls Track exceptions to policy and progress towards remediation One CISO notes to only gather the data you plan to use Indication of information overload?

Security Metrics Programs 14 Example of Operational Security and Compliance Dashboard

Conclusions Security Metrics Programs 15 Some organizations appear successful in creating and communicating metrics that connect with business goals A fair number of interviewees experience disconnects with management, and some doubt metrics are doable There is still a large gap between low-level operational metrics and mid-level program and management metrics Effective positioning/operation of the security team(s) appears vital to develop effective metrics programs

Security Metrics Programs 16 Related Burton Group Research and Recommended Reading Security Key Performance Indicators Security Metrics: Horses for Courses Introduction to Key Risk Indicators Thinking Strategically About Security Metrics Using Metrics Effectively: Proving and Improving the Business Value of IT You Manage What You Measure

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information