Developing security metrics for your organization can be a daunting process. IT pros, however, say deciding on security metrics can be the difference between effective security and serious vulnerabilities.
When Bruce Jones decided to serve as global IT security risk and
compliance manager at Eastman Kodak Company, he found he had
a challenging problem on his hands - how to create a solid
set of security metrics that could be used to communicate
risk to the rest of the business.
Roughly two-and-a-half years later, Jones can boast of a risk management program that does exactly that.
For businesses, developing the right set of metrics is a key part of
maintaining security throughout the enterprise. Metrics provide
organizations a measuring stick to use to effectively judge risk. But
establishing those standards and integrating them into a risk management program can
be a daunting task, security pros say. Enterprises should begin by
establishing clear objectives for their metrics and ensuring the
process for gathering them is repeatable and manageable.
"People kind of get a mental vapor lock because it's just too hard to
do everything, and they end up not doing a lot or doing nothing," said
Rich Mogull, an analyst with Securosis. "Don't look at the [Center for Internet Security] benchmarks and
try to do it all at once. Take those, pick a high-priority area, make
sure you understand it, implement it well, use whatever tools you have
and move on to the next area."
At Kodak, Jones started by researching what other organizations were
doing, but found many of the approaches were either too mathematical,
required a tremendous amount of work to manage or unsuitable for
communicating with the business side of the house. What he ended up
with was a multitier dashboard that ranks items based on the
likelihood of problems and the potential impact if something went
wrong. The items in the tiers range from access management to
intrusion detection and malware.
Tier one, the highest tier, is reserved for issues that have a very serious impact and would need to be remediated immediately.
"Once we got that foundation done...then we started working on our
dashboard using that tier-based approach," he continued. "The goal I
had was to try and develop a dashboard that added minimal amount of
effort on the people who were going to be providing the metrics. It had
to be metrics that were readily available that people were already
tracking or were available in databases [and] were fairly easy to pull
For example, the
company turns to McAfee ePolicy Orchestrator for data on the number of
viruses found and how many machines are not up-to-date
with their DAT files. For their configuration and
change management risk measure, the company uses a tool to gather
data on server compliance and pulls other information
from a database it created to collect information about
other data is gathered up once a month and fed into a
dashboard. That part of the process is largely manual, Jones said.
haven't automated a lot of these metrics feeds," he told eWEEK, adding
he would like to make the process a little less manual. "I would like
to be able to at any time go in and bring up the dashboard and see a
real picture, point-in-time measurement of what the risk posture is
rather than having to wait until the end of the month to gather the
advice to others - start with metrics that are easy to collect and
don't take a lot of time, and consider using statistics as a foundation
so the data can be easily communicated to the business-side of the
metrics are to collect and the longer it takes people to collect it the
less likely it is to succeed over time, because people are just going
to get frustrated with it over time," he said. "[Also] I highly advise
people [to] look at that statistical process control model, because
that gives you a baseline and helps you justify expenditures."