October 27, 2016 // By Michael Lester
The following article was originally published on CSOonline.com and can be found here.
Measuring security is sort of like measuring happiness. How do you compare your happiness with someone else’s? Are you happy? Are you happier today than you were yesterday? Will the things that make you happy today make you happy tomorrow? More importantly, will you discover that you thought you were happy, but it was only because of ignorance?
Measuring security is one of the most difficult tasks a security leader faces. How do you measure something that has no quantifiable definition? There just isn’t an accepted metric by which to measure or compare, yet this is exactly what most board members want to know.
I always chuckle when I review a new contract for our company that has verbiage that says we must maintain “adequate security”. Do you know what “adequate security” means? I do. It means you haven’t been breached yet. By definition, once you are breached, your security wasn’t adequate. Agreeing legally to maintain “adequate security” is tantamount to legally agreeing to never be breached.
This is a real challenge for the security professional because we have all been taught that you can only manage what you can measure. Well…if that is true, how do we measure security?
For most of us, lacking any way to measure security directly, we resort to indirect measurement by measuring the attributes of a system that we believe to be secure. Unfortunately, most of us are measuring the wrong things.
Most larger companies, or those in specific industries, perform audits that measure a predefined set of controls that are believed to be indicative of a secure system, and most of those controls are defined by any number of security frameworks (NIST, COBIT, ISO, etc.), but audits only tell us if we comply with reporting or control requirements.
One company, Secure Digital Solutions, an information security firm headquartered in Minneapolis, recognized this conundrum and built a tool that doesn’t actually measure security, but it measures controls in a way that reveals patterns and process issues. More importantly it provides advice on what to do to be more secure.
“Controls are for auditors. Processes are for managers,” says Chad Boeckmann, founder and CEO of Secure Digital Solutions.
I think he’s on to something.
Security isn’t a machine problem. It is a human problem. In the long run we can’t be more secure by just throwing more controls or bigger firewalls at the problem. We need to manage the people and the process of security. Those of you that follow my blog know that I’m a firm believer in the people part of every problem and every solution.
Boeckmann goes on to comment: “There are three aspects that a good security leader needs to consider beyond risk:
- The team’s capacity to get things accomplished
- The effectiveness of the team to accomplish the goals
- How to best represent the business value the security program is delivering
From the demo I saw, I’d say their TrustMAPP platform gives the security leader insight into all three. I’m always impressed when I see business people focusing on people and not just tools. Don’t get me wrong, tools are needed, but they should enhance how we deal with processes run by people and not simply used as a final solution to a control objective.
In the end, the security leader will be asked by others not only to measure the immeasurable, but to quantify and attest to the company’s state of security. Since it is pretty much impossible to do that with a purely technological approach to solving security challenges, and since security is a constant process, the security leader should focus on the process of continuously adapting and improving security and communicate the changes those processes have made.
The National Association of Corporate Directors published a survey in October 2015 indicating 31 percent of company directors are dissatisfied with the quality of information from management regarding cyber security. It is no longer adequate for a security leader report on the number of incidents they responded to or the success of the latest awareness campaign or phishing exercises. Security leaders must begin to speak the language of the business and show forecast improvements, investments required, and track improvement based on consistent key process indicators. This is the same rigor applied to other areas of the business and information security or cyber security must transcend.