Measuring and. Communicating. Security's Value. A Compendium of Metrics. for Enterprise Protection



Similar documents
IMPROVEMENT THE PRACTITIONER'S GUIDE TO DATA QUALITY DAVID LOSHIN

Risk Analysis and the Security Survey

Job Hazard Analysis. A Guide for Voluntary Compliance and Beyond. From Hazard to Risk: Transforming the JHA from a Tool to a Process

Measuring Data Quality for Ongoing Improvement

AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Academic Press is an imprint of Elsevier

Securing the Cloud. Cloud Computer Security Techniques and Tactics. Vic (J.R.) Winkler. Technical Editor Bill Meine ELSEVIER

Metrics and Methods for Security Risk Management

CIMA'S Official Learning System

Computing. Federal Cloud. Service Providers. The Definitive Guide for Cloud. Matthew Metheny ELSEVIER. Syngress is NEWYORK OXFORD PARIS SAN DIEGO

Customer Relationship Management

Cyber Attacks. Protecting National Infrastructure Student Edition. Edward G. Amoroso

Security Metrics. A Beginner's Guide. Caroline Wong. Mc Graw Hill. Singapore Sydney Toronto. Lisbon London Madrid Mexico City Milan New Delhi San Juan

Agile Development & Business Goals. The Six Week Solution. Joseph Gee. George Stragand. Tom Wheeler

Configuration. Management for. Senior Managers. Essential Product Configuration. and Lifecycle Management

Master Data Management

Supply Chain Strategies

Human Performance Improvement

Strategic Management

Delivery. Enterprise Software. Bringing Agility and Efficiency. Global Software Supply Chain. AAddison-Wesley. Alan W. Brown.

for the Entire Organization

Supply Chain Risk. An Emerging Discipline. Gregory L. Schlegel. Robert J. Trent

Lean Supply Chain and Logistics Management

IT Manager's Handbook

Managing Data in Motion

Purchasing and Supply Chain Management

Winning the Hardware-Software Game

Big Data Analytics From Strategie Planning to Enterprise Integration with Tools, Techniques, NoSQL, and Graph

SOFTWARE TESTING AS A SERVICE

SECOND EDITION THE SECURITY RISK ASSESSMENT HANDBOOK. A Complete Guide for Performing Security Risk Assessments DOUGLAS J. LANDOLL

Implementing the Project Management Balanced Scorecard

Network Security. Windows 2012 Server. Securing Your Windows. Infrastructure. Network Systems and. Derrick Rountree. Richard Hicks, Technical Editor

Audit Committee Charter

Relationship marketing

Open Source Toolkit. Penetration Tester's. Jeremy Faircloth. Third Edition. Fryer, Neil. Technical Editor SYNGRESS. Syngrcss is an imprint of Elsevier

Platform Ecosystems. Aligning Architecture, Governance, and Strategy. Amrit Tiwana AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO

AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Academic Press is an imprint of Elsevier

Private Equity and Venture Capital in Europe

MIKE COHN. Software Development Using Scrum. VAddison-Wesley. Upper Saddle River, NJ Boston Indianapolis San Francisco

Virtualization and Forensics

Singapore Exchange Sustainability Reporting Guide. Guide to Sustainability Reporting for Listed Companies

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

Engineering DOCUMENTATION CONTROL HANDBOOK

How To Write A Diagram

Governance Simplified

for Research and Guiding Innovation for Positive R&D Outcomes Lory Mitchell Wingate

Data Warehousing in the Age of Big Data

Valvation. Theories and Concepts. Rajesh Kumar. Professor of Finance, Institute of Management Technology, Dubai, UAE

REVENUE CYCLE MANAGEMENT : A DEEPER DIVE

Improving Business Process Performance

Kathy Schwalbe, Ph.D., PMP Augsburg College. ; \ COURSE TECHNOLOGY *» CENGAGE Learning-

Fixed/Mobile Convergence and Beyond AMSTERDAM BOSTON. HEIDELBERG LONDON

How to measure your business resiliency

PRIORITIZING CYBERSECURITY

Contents. Assessing Social Media Security. Chapter! The Social Media Security Process 3

Practical Text Mining and Statistical Analysis for Non-structured Text Data Applications

Business Continuity Trends, Requirements and Expectations in Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

Improving management reporting using non-financial KPIs

IT Governance Regulatory. P.K.Patel AGM, MoF

IT Governance. What is it and how to audit it. 21 April 2009

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

The Process. Improvement. Handbook. A Blueprint for Managing Change and. Increasing Organizational Performance. Tristan Boutros.

An End-to-End Population Health Management for High Risk Patients

Risk Management Policy

Cloud Computing. Theory and Practice. Dan C. Marinescu. Morgan Kaufmann is an imprint of Elsevier HEIDELBERG LONDON AMSTERDAM BOSTON

Social Media Marketing

1 of 7 31/10/ :34

LGMA Qld Governance and Corporate Planning Village Forum

Public Relations in Schools

Molecular Biology Techniques: A Classroom Laboratory Manual THIRD EDITION

B408 Human Resource Management MTCU code Program Learning Outcomes

The Morningstar Sustainable Investing Handbook

2 Day In House Demand Planning & Forecasting Training Outline

Supporting information technology risk management

CPSM Review Program. This module is titled: Foundation of Supply Management and upon completion of this course, the student will:

The Contract Scorecard

Managing the Unmanageable

KEY PERFORMANCE INDICATORS (KPIS): DEFINE AND ACT

Compensating the Sales Force

INTERNATIONAL MONEY AND FINANCE

IPMS Insurance Performance Management System

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

The Data Access Handbook

QUANTITATIVE METHODS. for Decision Makers. Mik Wisniewski. Fifth Edition. FT Prentice Hall

FYI HIRING. Recruiting Strategies

Obj ect-oriented Construction Handbook

International Diploma in Risk Management Syllabus

Integrating risk and performance in management reporting. Research executive summary series Volume 7 Issue 5

Ninth Edition. David W. Cravens. Nigel F. Piercy. McGraw-frSiBI irwin. M.j. Neeley School of Business Texas Christian University

Preparation for ISO OH&S Management Systems

Guideline. Operational Risk Management. Category: Sound Business and Financial Practices. No: E-21 Date: June 2016

Business Finance. Theory and Practica. Eddie McLaney PEARSON

Transcription:

Measuring and Communicating Security's Value A Compendium of Metrics for Enterprise Protection George Campbell AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO

Contents About the Author Foreword Special Thanks A Short Story to Set the Stage Some Notes to the Reader on Using This Book xiii xv xvii xix xxiii CHARTER 1 Metrics Management It is Not About the Numbers 1 Introduction 1 Metrics Program Assessment 2 Using This Assessment 6 Building Your Program 7 Step 1: Identify the Business Drivers and Objectives for the Security Metrics Program 8 Step 2: Determine Who Your Metrics Are Intended to Inform and Influence 9 Step 3: Identify the Types and Locations of Data Essential for Actionable Security Metrics 9 Step 4: Establish Relevant Risk-Related Metrics 11 Step 5: Focus Your Metrics on Demonstrating Security's Multiple Benefits to the Business 12 Step 6: Establish Internal Controls to Ensure Integrity of All Data, Data Assessments, and Protection of Confidentiality 13 A Few Closing Thoughts 15 Great Data, Great Opportunity but Bad Presentation! 16 What is the State of the Art in Corporate Security Metrics? 18 Is This the State of Our Art? 19 Benchmarking Your Metrics with Peers 27 Finding Value in Security Benchmarking 28 Introduction 28 The Challenge 29 Established Models of Benchmarking Comparison 30 Current State of Security Benchmarking 30 Qualitative or Quantitative? 32 Key Performance Indicators 32 Key Risk Indicators 33 Best Practices 34

viii Contents Managing the Limitations of Benchmarks and Benchmarking 34 Gelting the Most Out ofvaluable Responses 36 Conclusion 36 Benchmarking Security Metrics Programs 36 Who Is Driving the Need from above? 37 What Business Drivers Are Pushing the Need for Improved Metrics from within the Security Organization? 37 What Have Been the Roadblocks to Metrics Development? 37 Observation 38 What Security Programs Are the Focus of Your Metrics? 38 What Best Describes the Current Status of Your Security Metrics Program? 39 Single versus Multisector Benchmarking 42 Summary 43 CHARTER 2 Quantifying & Communicating on Enterprise Risk...45 Introduction 45 Managing Enterprise-Wide Board Risk 46 A Conceptual Risk Picture 46 Enterprise Risk Council 47 Security's Role in Risk Management 48 Next Steps 48 Operating the Radar and the Relevance of "What If' 50 Leading Indicators 50 Addressing the Obvious 51 Managing Competency 51 Protecting the Supply Chain 51 Managing "What If?" 52 Managing Accountability 52 Managing System Reliability 52 Summary 52 Identifying Exploitable Security Defects in Business Processes 52 Risk Management Strategy 53 Where Are the Data? 54 A Caution on Likelihood 54 Focus Your Metrics on Avoidable Risk 54 Measuring the Impact of Background Investigations 55

Contents ix Tracking Preventable Risk 56 Risk Management Strategy 57 Cost Assignment to Preventable Security Incidents 58 Identify and Advertise the Causes of Loss 59 Risk Management Strategy 60 Measuring the Elements of Effective Access Management 60 Strategy 62 Measuring Security Awareness 65 Surveys Deliver the Data 66 Testing Delivers the Data 67 Risk Awareness Assures Preparedness 67 Workplace Violence 69 Advertising the Failure to Act 71 Leveraging the Learning 72 Measuring Compliance Risk 73 Risk Management Strategy 73 When Does an Avoidable Risk Become Inevitable? 75 The Idea 75 The Business Risk Profile 76 The Risk Management Strategy 76 Tracking Nuisance and False Alarms 77 Reducing Nuisance Alarms 79 Summarizing Avoidable Risk 80 Meters and Dials Tracking and Monitoring Key Risk Indicators 80 Key Risk Indicators at the Enterprise Level 80 Summary 81 Key Risk Indicators at the CSO Level 82 Take a Deeper Dive on Multiyear Trends to Highlight Risk 85 Build a Risk Indicator Dashboard 86 Risk Management Strategy 86 Measuring Risk Assessment Program Effectiveness 87 Identifying the Threshold of "Acceptable" Risk 88 Creating a Business Unit Scorecard 90 Objective 90 Risk Management Strategy 90 Where Are the Data? 92

X Contents Tracking Risk in Outsourcing 92 Information Technology Contractor Risk 92 Where Are the Data? 93 Tracking Key Risk Indicators in Business Continuity 94 Business Integrity and Reputational Risk 95 Bröken Windows in the Boardroom 96 Risk Personified The Knowledgeable Insider 98 Incident Analysis Identifies Evolving Insider Threats 101 What Is the Cost of a Bad Employee? 103 Use Your Metrics to Influence Policy 104 Measuring Impact of Security Incidents on Business Productivity 106 Tracking Internal Investigations 108 Tracking Disciplinary Action 110 Insider Risk in Outsourced Business Process 110 Tracking Losses from Fraud, Waste and Abuse 111 Confidential Hotline Reporting 112 A Simple Dashboard on Reputational Risk 113 Unintended Consequences Another View of Incident Impact on Productivity 114 Summarizing Insider Risk Measurement 115 Transitions Moving the Lens from Risk to Performance Indicators 115 CHARTER 3 Measuring Security Program Performance 117 Introduction 117 Key Performance Indicators 118 KPI Objectives 119 Strategy 119 Communicating Program Performance with Dashboards 120 Summary 124 Physical Security Is Measurable 124 Alerting Management to High Probability Risk 126 Risk Management Strategy 127 Measuring and Managing Your Regional Security Team 128 Challenges 129 Measuring and Managing Your Guard Force Performance and Cost 130 Measuring Vendor-Based Alarm Response 133 Tracking Protective Services Key Performance Indicators 134 Risk Management Strategy 135 Summary 135

Contents xi Security Operations Control Center Metrics 136 Operational Criticality 136 Performance Measurement 137 Secure Area Reliability 138 The Critical Measure of Time to Respond 138 Risk Management Strategy 139 Summary 141 Measuring for Operational Excellence in Security Services 141 Measure Risk Exposure with Security Inspections 143 Risk Management Strategy 143 Where are the Data? 144 What Do You Want to Achieve with This Information? 145 Measuring and Managing Cost 145 Show Me the Money: Task and Time Analysis 147 Expense Management: The Inevitable KPI 148 Slash and Burn 148 Showing the ROI of Contract Security Forces 151 Cycle Time: An Expected Measure of Performance 153 Information Security 155 Metrics are Bidirectional: Failure as a Performance Indicator 155 Measuring Progress of Annual Plans and Objectives 156 Summary 158 Is Compliance a Key Risk Indicator or a Key Performance Indicator? 158 Objective 159 Risk Management Strategy 159 Security Contract Compliance Auditing 161 Background 161 Risk Management Strategy 162 Questions 163 Measuring for Integrity: Background Investigations 163 Risk Management Strategy 163 Summary 165 Measuring Executive Protection Programs 165 Business Unit Criticality, Resilience, and Continuity Flanning 166 Summary 168 Measuring Security Awareness Programs 169 Risk Management Strategy 169 The Absence of Awareness Is a Key Contributor to Risk 171

xii Contents Ability to Influenae the Business Is a Key Performance Indicator 173 Warning Signs of Security's Decreasing Influenae 174 Measure Influenae by Tracking Acceptance of Recommendations 177 Risk Management Strategy 178 Security' s Value Proposition: Value Is a Key Performance Indicator 179 Finding a Corporate Security Value Proposition 179 Measuring Security' s Value 181 Do Business Units Value Security Recommendations? 184 Use Metrics to Demonstrate Security's Alignment with Business Objectives 186 Risk Management Strategy 186 A Simple Analysis Yields Valuable Results 187 Security's Balanced Scorecard 188 Benchmarking Security Operations 189 Security Expense versus Cost of Loss 191 A Few Metrics You Should Really Consider 193 Key Risk Indicators 194 Influence Indicators 194 Key Performance Indicators 195 Value Indicators and Financial Perspective 195 Value Indicators: Customer Perspective and Business Process Enablement 195 Some Closing Thoughts 196 Index 197

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information