Why is so much of technology security such a mystery? In particular, why does it have so few metrics?
I get it. For any given company, if there hasn't been a breach lately, it's assumed that defenses must be working. But shouldn't there be better measurements of effectiveness? Some level of business accountability? A basic ROI calculation?
Consider the size of the security budget: Gartner projects that global spending on information security products and services will exceed $93 billion in 2018 alone, and that number keeps growing. Last year, we saw the seventh continuous year of security budget increases, with a combined annual growth rate of 6% from 2010 to 2013, and 11% from 2014 to 2017.
Let's bring up the bottom line here. Cybersecurity is not an IT issue. It's a business conversation. In fact, it's a business priority.
As a retired Major General of the U.S. Air Force with three decades of experience leading large-scale efforts to defend global networks, I've been at the intersection of big budgets and serious dangers to infrastructure security. I understand the complex and always-expanding challenges that security chiefs face. There are always new technologies featuring strange vulnerabilities, evolving threat vectors, and emerging cybercriminal operations with sophisticated tactics.
However, this doesn't mean that cybersecurity initiatives should get a pass on the standards that every other department must meet. And for a long time, they've enjoyed exactly that freedom.
Sure, most organizations do make efforts to measure cybersecurity effectiveness, but not in terms of how it benefits the business. The SMI benchmark survey, which consulted 400 global business and security executives, found that 58% of respondents scored a "failing grade" when evaluating their organization's efforts to measure their cybersecurity investments and performance against best practices.
Unlocking the Mysteries of Cybersecurity
Somehow, cybersecurity investments are seldom seen as business decisions. Rather, they are viewed as a kind of mysterious black box with contents that are a deeply held secret. Don't ask too many questions, because it might jinx the process.
So, what's the answer here? How do we measure cybersecurity effectiveness like every other metrics-driven business unit? When I was CIO at US Transportation Command, I established an oversight committee to evaluate the business impact and risks associated with cybersecurity investments. The channel of communication from the security operations center to the CISO to the boardroom had a major impact.
Most organizations still don't apply business-related, risk-based metrics to their cybersecurity efforts. Those that do often measure the wrong things — for example, things that can't be validated or represent only a snapshot in time. The key question to ask is: "Are we measuring the validity, value, and effectiveness of our cybersecurity controls?"
Traditional models of measuring cybersecurity effectiveness are siloed and fragmented; cybersecurity measures are managed across separate enterprise channels, and important data is underutilized. Cybersecurity for business needs to be holistic and intelligent while delivering actionable insights, so that resources are focused and prioritized based on associated risk.
For example, IT and networking shops have countless management layers in order to perform synthetic transactions, run Internet Control Message Protocol (ICMP), and answer questions about their environment: "Is my network up? Is it fast?" Capacity planning predicts how much disk space, CPU, and RAM is required based on trends. Why don't we have processes like these for cybersecurity? Specifically, what are the technologies and processes we can implement to position cybersecurity as a metrics-driven business unit? I offer three possibilities.
Possibility 1: Elevate Security to the Highest Levels
Let executives from the boardroom on down be directly involved in management, with all the accountability that requires. The primary question is: "Are we acting appropriately regarding cybersecurity for our customers and our shareholders?"
An enterprise cannot determine how much risk to avoid, accept, mitigate, or transfer (via cyber insurance) without actionable metrics backed by empirical data. This happens when a CISO can compare and trend both subjective security data (such as internal assessments) and objective data points (such as automated monitoring). By contrast, legacy metrics like "time to patch" and "number of attacks stopped by the firewall" are static views. A true security posture can only be achieved through real-time automated assessments of the controls in place.
Possibility 2: An Automated and Proactive Defense
Organizations now face more pressure and more aggressive threats than ever before. Consequently, the defense strategy must be proactive and automated. For example, penetration testing results can be automated for continual (rather than periodic) evaluation.
Possibility 3: Visibility into Business Risk
Forget the mystery. Develop quantitative and measurable data to make wise security investment choices. Ideally, measure and communicate cyber-risk in financial terms, such as the probability and expected cost of security incidents based on current cyber-risk conditions.
None of this will be easy. But as the budgets continue to spike — even as the data breaches keep happening — we need to tie security to accountability. This is a business, and that makes business sense.
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.Major General Earl Matthews, USAF (Ret.), is an award-winning retired Major General of the U.S. Air Force with a successful career influencing the development and application of cybersecurity and information management technology. His strengths include his ability to lead ... View Full Bio