Demonstrating ROI Through Monthly Security Metrics

Introduction

The value of an organisation's IT Operations and Cyber/Information Security efforts are often misunderstood by the business key stakeholders, with many senior executives regarding this as being an:

"Invisible and extremely expensive expense!"

That is until things go wrong and it suddenly becomes:

"Extremely visible and even more expensive!"

Essential to creating this visibility and demonstrating the Return On Investment (ROI) is through the effective use of the myriad of security tools to help to visualise all the good work being done by the 3 Lines of Defence (3LoD).

We have to get better at presenting the ROI from the various security tools that the business is paying out for.

Imagine these security tools as being the business' 'Warning Lights', much like car manufacturers provide to the drivers of their vehicles or that the racing car manufacturers provide to their racing car drivers.

The 'Warning Lights' must be appropriate to the type of vehicle (aka business type) and in support of the objectives (aka business objectives).

For example,

• In the world of motor sport, they may wish to monitor the pressures, heat and wear of the tyres.

• However, for a standard vehicle it might only be beneficial to provide a low tyre pressure warning.

Consequently, it is essential to understand what is important for the 'Driver' (aka Key Stakeholders) so that they can make informed decisions, based upon what is important for them and the potential risk to their business operations.

Think:

• Vulnerability

• Threat

• Impact

Your security metrics should articulate the identified vulnerabilities, threats these present to the business and the potential impact of a threat actor exploiting an untreated vulnerability.

For example,

• If you were the driver of a high powered motor vehicle, speeding down a winding mountainside road and the brake light came on you might change your driving style.

• Otherwise, increasing the risks of the brakes failing and the driver careering of the road!

Findings

Many organisations employ a wealth of security monitoring and testing tools but only employ these tools in a reactive manner, to help identify the potential 'Root Cause', post-event/incident.

However, in reality by using these tools in a more proactive manner they may be able to better identify potential dangers before they come to fruition.

Additionally, they can be used to demonstrate to the business key stakeholders of the value they bring to the protection of the business critical assets, ensuring that they continue to 'Drive Safely'!

• Vehicle = Business.

• Driver = Business leaders.

• Passengers = Shareholders, Sensitive Data (e.g. Customer/Employee personal data, Financial/Account information, etc.).

• Vehicle components = Business critical system assets.

• Vehicle warning lights = Monthly security metrics (e.g. Key Risk Indicators (KRIs), Key Performance Indicators (KPIs), Balance Score Cards (BSCs), Audit summaries, etc.)

As the driver of the vehicle, wouldn't you be interested to know how many 'Near Misses' you have had and when your critical systems (e.g. Brake pads) are coming towards their end of life?

Additionally, as the driver, you have a responsibility to ensure that the vehicle remains operational and in a roadworthy condition to ensure that the risks of brake failure does not impact your passengers.

Recommendations

Before developing effective metrics, it is important to understand what metrics your tools are able to generate for you (you might be very surprised at what you discover).

Next, try reaching out to your Key Stakeholders to let them know what information you can make available to them and to glean an appreciation of what is important to them. With them having been engaged in the development of the effective metrics, they are more likely to have an interest in the content you produce each month.

Armed with this information, you can then seek to create a simple dashboard, to clearly and concisely display the trends, near misses, number of alerts and operational risks.

For example (NIST SP800-55 Rev 1),

Measurement During System Development

Security Budget (program-level)

Vulnerability Management (program-level)

Access Control (AC) (system-level)

Awareness and Training (AT) (program-level)

Audit and Accountability (AU) (system-level)

Certification, Accreditation, and Security Assessments (CA) (program-level)

Configuration Management (CM) (program-level)

Contingency Planning (CP) (program-level)

Identification and Authentication (IA) (system-level)

Incident Response) (IR (program-level and system-level)

Maintenance (MA) (system-level)

Media Protection (MP) (program-level and system-level)

Physical and Environmental (PE) (program-level)

Planning (PL) (program-level and system-level)

Personnel Security (PS) (program-level and system-level)

Risk Assessment (RA) (system-level)

System and Services Acquisition (SA) (program-level and system-level)

System and Communications Protection (SC) (program-level)

System and Information Integrity (SI) (program-level and system-level)

Conclusion

We are seeking an ever growing number of businesses that are embracing the technology advances. However, this needs to be tempered with the maintenance of secure and safe technologies.

As the drivers of business, senior management need to be able to understand the current state of the vehicle fleet, so that they can adjust their driving to meet this state, or to make timely investment to maintain their supporting systems.

The metrics reporting provides a unique opportunity for IT Operations, Cyber/Information Security and Internal Audit teams to come together to show the value they provide to the business and to demonstrate how well they are maintaining (the often extremely complex) underlying system components (critical in ensuring that the vehicle continues to operate effectively and safely). However, it is appreciated that the business drivers are focused on getting the most out of their vehicle, so the metrics must be tailored so that they provide appropriate, timely and easily understood warnings for the busy drivers.

Additionally, it is extremely important that the drivers take heed of these warnings and not to ignore them, hoping that this will just go away on its own (this often leads to far more costly interventions, later on!).

Metrics should not be seen as something to be feared but, rather, as being something that should be regarded as being mutually beneficial for the drivers, passengers and the supporting pit crews.