Developing Security Metrics for Enterprise Risk Management

Developing security metrics for your organization can be a daunting process. IT pros, however, say deciding on security metrics can be the difference between effective security and serious vulnerabilities.

When Bruce Jones decided to serve as global IT security risk and compliance manager at Eastman Kodak Company, he found he had a challenging problem on his hands - how to create a solid set of security metrics that could be used to communicate risk to the rest of the business.

Roughly two-and-a-half years later, Jones can boast of a risk management program that does exactly that.

For businesses, developing the right set of metrics is a key part of maintaining security throughout the enterprise. Metrics provide organizations a measuring stick to use to effectively judge risk. But establishing those standards and integrating them into a risk management program can be a daunting task, security pros say. Enterprises should begin by establishing clear objectives for their metrics and ensuring the process for gathering them is repeatable and manageable.

"People kind of get a mental vapor lock because it's just too hard to do everything, and they end up not doing a lot or doing nothing," said Rich Mogull, an analyst with Securosis. "Don't look at the [Center for Internet Security] benchmarks and try to do it all at once. Take those, pick a high-priority area, make sure you understand it, implement it well, use whatever tools you have and move on to the next area."

At Kodak, Jones started by researching what other organizations were doing, but found many of the approaches were either too mathematical, required a tremendous amount of work to manage or unsuitable for communicating with the business side of the house. What he ended up with was a multitier dashboard that ranks items based on the likelihood of problems and the potential impact if something went wrong. The items in the tiers range from access management to intrusion detection and malware.

Tier one, the highest tier, is reserved for issues that have a very serious impact and would need to be remediated immediately.

"Once we got that foundation done...then we started working on our dashboard using that tier-based approach," he continued. "The goal I had was to try and develop a dashboard that added minimal amount of effort on the people who were going to be providing the metrics. It had to be metrics that were readily available that people were already tracking or were available in databases [and] were fairly easy to pull together."

For example, the company turns to McAfee ePolicy Orchestrator for data on the number of viruses found and how many machines are not up-to-date with their DAT files. For their configuration and change management risk measure, the company uses a tool to gather data on server compliance and pulls other information from a database it created to collect information about workstation configurations.

This and other data is gathered up once a month and fed into a dashboard. That part of the process is largely manual, Jones said.

"We really haven't automated a lot of these metrics feeds," he told eWEEK, adding he would like to make the process a little less manual. "I would like to be able to at any time go in and bring up the dashboard and see a real picture, point-in-time measurement of what the risk posture is rather than having to wait until the end of the month to gather the data."

His advice to others - start with metrics that are easy to collect and don't take a lot of time, and consider using statistics as a foundation so the data can be easily communicated to the business-side of the house.

"The harder metrics are to collect and the longer it takes people to collect it the less likely it is to succeed over time, because people are just going to get frustrated with it over time," he said. "[Also] I highly advise people [to] look at that statistical process control model, because that gives you a baseline and helps you justify expenditures."