Metrics, KPIs and Making Business Sense of Infosec

Tuesday, March 27, 2012

Rafal Los


What is the difference between a metric and a KPI? I don't necessarily want you to look up the dictionary definition of each and try and contrast them, but rather think about their perception and purpose

Robert Lemos, a contributing writer to Dark Reading had an interesting perspective on metrics in an article back on February 24th called "Five Strategic Security Metrics to Watch." 

Good article, but I think the focus of the article should have been the quote from Kevin Lawrence of Stach & Liu, "Everything comes down to whether the business impact is worth the security reward," says Lawrence. "It does not makes sense to close a vulnerability if you can't then do business."

Now, there is something that I just don't hear said enough when I talk to security professionals at the practitioner level.  The managers have already woken up to this reality, or they've simply chosen the path of irrelevance, but the practitioners haven't been converted en masse yet.  This is an unfortunate fact.

Look, I'm not asking everyone to stop focusing on the best way to find, validate and remediate vulnerabilities in mobile code nor am I trying to shift focus away from finally developing a successful reference architecture for the migration to cloud services.  What I'm trying to highlight is that while all that is happening, we need to keep an eye on the real prize, the bigger goal if you will.

Ultimately, I think, I know many of you will move on in your careers to managing or leadership, and you'll be asked to answer the question: "How is IT Security performing?" This isn't a technical question, and does not require a technical answer. 

As IT Security budgets increase proportionally within your IT organization to meet the growing global cyber threat, (who had this one in their bingo cards?) we're going to start having to answer concrete questions about what we're doing with the delta in capital and operational expenditure dollars. 

Does a 10% increase in spending on IT Security really make us 10% safer... or is that just an insane man's rambling?  How much money does it take to increase the company's security posture by a factor of two?  Can anyone even begin to measure that?

Lots of questions require not only big thinking but understanding of risk beyond simple 'vulnerability' metrics.  As we've pointed out many times in conversations and here on the blog, a vulnerability is not always a risk to the business.  Are you mentally prepared to get past that?

I'm not saying I have any of the answers better than any of you, but it's just something that's been front and center of mind recently and I think it's imperative we start to have serious discussions about it. 

I know full well there are lots of metrics mailing lists, conferences and working groups out there, but if no one can agree on our collective goal are we all just chasing fireflies in the summer air?

My project, which I launched recently, Project Zosimos, aims to start creating a framework to have these types of discussions.  I will attempt to get us closer to actually answering the question "How is IT Security performing?" from a business perspective, from an IT Security leadership perspective, and down into the practitioner's perspective as well.

The toughest part for many of you reading this - I say this because it was true for me for many, many years - is getting over the fact that security matters strictly on its own merits.  The business matters and anything or anyone that supports the business matters only so long as the cause of the business is furthered.  Are you OK with that?

The other crazy notion is that we need to take a sledgehammer to the silos we've built up around security, network, applications development, risk management and all the other groups in and outside of information technology.  Security touches everything - when done right - in the business. 

Security also creates positive impact (or at last it can) on virtually every aspect of the business.  If you're solely focused on being a cost-center CISO I suspect you have a hard time treating water... isn't it time to get beyond this?

I refuse to buy-in to the saying that security is either avoiding cost, or a cost center and nothing more.  This is simply untrue in my experiences.  Good security is good for business, pure and simple.

So to all of you silo-living technical security analysts out there - widen your scope.  Your trade is maturing at a rate that gives you the choice of moving along with it, or being left behind in the basement cubicle.  That choice, for the time being, is still yours.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Risk Management Analytics metrics Mitigation Remediation key performance indicators IT Security KPI Project Zosimos
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.