The 2019 World Economic Forum Global Report outlined the biggest global risks, ranking data theft and cyberattacks as the fourth and fifth top risks in terms of likelihood. Within the past year alone, more than one-third of US companies reported having suffered a data breach citing cybercriminals as the greatest data security threat, according to IDC. Clearly, data breaches remain a top concern for organizations as cybercriminals continue to mature and evolve their tactics.
Chief Information Security Officers (CISOs) should be aware of the type of hackers that are targeting their organization and the motives for attack. By understanding the result cybercriminals wish to achieve and why, security leaders can ensure that the proper capabilities for preventing, detecting and responding are modeled.
When reporting the security operations level of an organization to the board of directors, the majority of CISOs measure the effectiveness of their program against a proven model (NIST, ISO, CMMI, etc.). However, security leaders should not attempt to demonstrate success by reporting on the sheer volume of widgets, correlation rules, blocked IP addresses, stopped malware infections and/or log sources. While this may carry some important context, CISOs only have a limited amount of time to present to the board. Thus, they should focus instead on quantifying how the capabilities of their security operation demonstrate progress in reducing risk, in contributing to business revenue and in increasing cost savings for the business. Security leaders must speak in terms of business impact.
So, what exactly should a CISO be measuring and reporting? Listed here are my top recommendations.
Align Business Operations with Security Operations
First, the CISO has to be aligned with core business objectives. Visibility into what systems, use cases and assets across the IT environment have the biggest impact on the business if compromised is pivotal when measuring and reporting on security operations. Without understanding business operations, a security team is unable to successfully prioritize the most critical threats.
Unfortunately, many security leaders falsely assume that they know what threats will cause the biggest impact to the business and what assets are most important for the business to protect. It is critical that CISOs do not execute against a strategy based on assumption and instead attain true knowledge of the value and importance of data, systems and applications to the business.
How a business is operated as well as a business’ culture are important factors that impact and influence a security program. Business impact analysis (BIA) data unveils what and where the highest priority assets, such as systems, applications and data, lie within a business’ operations, the overall value of all assets and the amount of protection aligned to those assets. BIA also reveals how a security operations program should prioritize incident response for different assets and can help CISOs drive internal business agreements that support their security operations.
Once a security leader is aligned with business objectives, they can properly measure the impact of a threat as well as the security program’s progress in reducing risk and increasing cost savings to the business. BIA also enables CISOs to identify how their program is contributing back to the revenue of the business. The security program must be presented as a revenue generating operation and not as a cost center.
In combination, by evaluating business impact assessment, the threat model and overarching goals and objectives of the core business, CISOs gain the data necessary to successfully architect, build and operate their security program.
Categorize Enterprise Assets by Criticality
Every aspect of protection for an asset, such as security agents, security tools, patch coverage, vulnerability coverage, appropriate log data and effective monitoring, must be organized by criticality to the business.
The process of categorizing assets is a pivotal component of a security leaders’ scorecard. When organizing assets by criticality, it is also important to consider context of each asset including the cost, function, data and workflow around each asset, who and what is accessing the asset and how that impacts business operations. Assets can then be organized into different tiers along with the necessary protections and operating level agreements (OLAs), which are discussed in further detail below, and processes applied to those assets based on the identified threat actors from the threat model.
A CISO should be aware of their ability to successfully protect, detect and respond to threats in accordance with agreements based on an asset’s category, criticality, aligned function and business outcome. This assessment drives the scorecard of red, yellow and green to reflect the coverage over the most vulnerable, business-critical assets. CISOs can also include current projects and mitigation of risks as red, yellow and green scores based on the amount of progress made.
It is important to recognize that organizations will have different scorecards with different areas of focus for each category. How a security leader classifies and prioritizes the most critical risks to the business will differ at varying stages of maturity for all companies.
Ensuring a Cross-Functional Approach
The baseline and targets for each high-priority asset are now established. The highest priority groupings will require immediate incident response so that threats impacting business operations are mitigated rapidly. It is thus important that security leaders have cross-functional agreement, support and communication across different departments within the business surrounding the protection of the highest priority business assets. The workflow, plans and strategies of the security operations program must be agreed upon by all.
Protecting business operations is a unifying case across a company. A CISO can outline OLAs to provide a central agreement on the collaboration needed from departments to ensure support of security operations. As an example, if the legal department is needed for a CISO to respond to a high-priority threat, that department should know its role in helping neutralize the threat and respond immediately based on the OLA.
Every business unit should effectively and quickly perform the responsibilities outlined in the OLA. The timely response between business units, within the workflow of the security operations program, is pivotal and subsequently impacts the ability to contain a threat.
These agreements can vary across an organization’s IT environment based on certain workflows. For example, an OLA could begin with the requirement for 100-percent coverage and visibility into the highest criticality assets and follow with decreased levels of coverage for less prioritized assets. In every case, OLAs confirm the agreed upon communication plans, workflows and expectations for each department in order to ensure collaboration when combatting threats. The expectations outlined in OLAs are the most important and must include time to detect and respond to threats.
Improving Efficiency and Effectiveness of Your SOC
Security leaders must understand the potential tasks in a workflow that your team could expedite or automate to improve the efficiency and reduce the dwell time of a threat actor—and thus the damage they are able to inflict. A CISO must understand the time to detection, the time to response and the time to mitigation of a threat.
Measuring the improvement of security operations maturity is centered around how effective an organization is at detecting and responding to threats.
Here are some of the metrics that can help analyze and improve workflows:
- Measure and report the mean Time to Detect (TDD). TTD measures the amount of time it took to detect a threat that resulted in a qualified incident.
- Measure and report the mean Time to Respond (TTR). TTR measures the amount of time it took to investigate and mitigate a confirmed security incident.
- Measure and report the total amount of incidents that occurred and the business criticality of those incidents.
Not only is it important to identify the quantity of incidents that occur and how critical each incident’s impact is to the business, but it is also crucial that security teams measure the time it took to detect, respond to and mitigate a particular threat. These measures as well as the context of an attack all play a pivotal role in improving security operations maturity.
Once security leaders begin to link together key trends or particular weaknesses that are being targeted or exploited within their security program, then they can build specific long-term remediation strategies to increase protection and fill security gaps.
Further improvements in security awareness training, enhancements to technology and changes in architecture or process also have a hand in strengthening security maturity levels.
Elevate Your Measurements to Elevate Your Maturity
It is important to consider that there are many key drivers that can show improvements to security operations maturity, but being able to report on improvements with concise figures is pivotal. A CISO should be prepared to report, using numbers and statistics, on the improvements to key metrics, allowing the data to tell the story.
By taking a quantitative approach to reporting on security operations, CISOs will empower themselves with credible data that goes beyond assumptions and beliefs. Risk reduction, improved operational efficiencies, increased cost savings and contributions to the business’s revenue must be shown. Additionally, when metrics are translated into an overall risk score, then security leaders can effectively report on the maturity of their program with meaningful data.
CISOs frequently have difficulty showcasing the value of their work. By focusing on the most critical measurements and having a clear baseline measurement, security leaders can clearly communicate the current state of their program, identify points of improvement and set accurate goals and future roadmap.
So, remember, it’s not simply the number of moving pieces in your security program that matter; it’s how those pieces are making your organization more resilient that truly counts — and demonstrating the improvement in resilience is what will establish buy-in with others.