IT's security metrics and reporting problem: A communication failure
Therein lies a new challenge for IT: to develop security metrics and reporting that effectively communicate the successes, failures and potential risks of a security program to business audiences in the enterprise. Wisegate, a peer-based IT advisory, conducted a member survey of hundreds of senior IT professionals to determine their top concerns in assessing security risks. Earlier this year, we shared those top concerns with CSO readers; lack of security metrics and reporting was high on the list.
Here are our findings regarding security metrics and reporting from that survey.
Security metrics and reporting processes are immature. While 80 percent of respondents said that their top security risks (malware, data breaches and outsider threat) are increasing in the industry, an average of 50 percent don't have reporting procedures in place to measure their existing security programs.
Communications problems are due to a tool-centric rather than risk-centric view of security. IT is taking a risk-based approach to securing the business, but it currently lacks the means to report the risk status to boards and internal business partners. CISOs are measuring tactical things and what metrics that exist are events-driven: how much classified data was blocked from leaving the system; how many malware hits were stopped at the firewall or by the AV software. The problem is that there remains a tool-centric rather than risk-centric view of security, and the tools that are available rarely provide metrics that can be combined into an overall metrics-based company risk report that fully communicates program performance. This leads to a failure of communication between security teams and business, and it's a major challenge for IT security.
The volume of security products in the market make seamless metrics and reporting very difficult. Survey respondents across the board have plans to implement various new security controls within the next three-to-five years. For example, 63 percent of respondents plan to implement endpoint-targeted security control products such as 'information protection' and 'anti-malware' (57 percent). Top mobility/IoT products were 'DLP, tracking masking and encryption' (46 percent). The sheer volume of different products makes communicating strengths and weaknesses in the corporate security profile in relation to business impact a difficult proposition. It results in a failure to communicate program impact in business terms, and a failure for business people to understand security.
Aggregate security products for seamless metrics and better communication. Security metrics and reporting can be improved if IT teams aggregate security point solutions to provide a seamless holistic risk rating; and then create the metrics to demonstrate the impact of security on business. As the move towards adoption of security as a service (SaaS) solutions gathers pace, security teams can start to insist on the provision of usable metrics as part of the partner agreement.
Security has moved to the central business functions--it's no longer just an IT issue. The National Association of Corporate Directors published a handbook to give cyber-risk advice to members. It says, "Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach." This point highlights the need for discussion between security teams and the board. This shows that business leaders are ready to add important security and risk to the heart of other high-level business areas, such as profitability, revenue growth and product innovation.
Elden Nelson is Editor in Chief at Wisegate, an invitation-only, business-social-networking group comprised of CSOs and CISOs.