Instituting Security Metrics
A crisis or catastrophe lurks behind every CNN headline: Devastating worm attacks vulnerable computers. Laptops stolen, along with critical data. Identity theft costs business millions. It's easy to feel constantly under siege.
But there might be a better way. Some experts say that setting up security metrics may be a less-costly long-term solution.
What are security metrics? If measurements and benchmarks can be compared to taking a patient's daily temperature, metrics are the temperature trends that reveal themselves over time. Like key performance indicators, security metrics gauge both where you've been and where you are currently.
'Security metrics identify where the organization is accepting a higher level of risk,' says James DeLuccia, author of IT Compliance & Controls: Best Practices for Implementation (Wiley, John & Sons, 2008). 'Accurate information about security operations ensures that only necessary safeguards are deployed, and done so where most effective.' Plus, DeLuccia says that security metrics can help an organization identify where they're spending inefficiently.
Areas to measure security
DeLuccia suggests conducting an inventory of security applications, hardware, or processes. In conjunction, identify data stores and machines that contain sensitive information. Create performance goals for security control or process, and then take the 'temperature' of each item through measurements. By doing so, 'the organization delivers the necessary level of services and optimizes security technology,' Deluccia says.
Here are a few areas for measurement:
- Measure your uptime from month-to-month, and document failures due to vulnerabilities in operating systems, network devices, or applications. Conversely, if outsourcing IT security, demand that your key vendors provide reports of their service levels.
- System security. Public-domain benchmarking tools can reveal your current level of exposure due to flawed setups of Windows, Solaris, or Linux. Online toolkits at sites like the Center for Internet Security indicate best practices. The guides offer step-by-step pointers on locking down your core platforms, including Exchange Server or MySQL server.
- Cost per user. How much are you spending to protect each user or customer? Can you decrease costs while increasing security over time?
- Compliance. John Kindervag, chief security architect with Vigilar, an IT security consulting firm, says that merchants using credit cards should measure their compliance with PCI requirements, always striving to better their performance. 'Use the self-assessment questionnaires and resources from the PCI standards council,' he says. Medical businesses may wish to do self-assessments for HIPAA.
Make comparisons over time
Compare month-to-month, year-to-year to find out where underlying problems exist. 'You want to look at this in a tactical way, using strategy and measurement,' Kindervag says.
And DeLuccia points out that through understanding processes and setting goals, businesses streamline security. Reduce risk through review of users with access to sensitive data; replace poor-performing security software (or consultants) with better options.
Applying metrics isn't a quick, overnight exercise -- but neither is growing your business. Measuring security alongside sales leads to a clearer view of your strengths, and where you need to focus your solutions.