Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, November 28, 2006

Measuring Security

With cyber attacks continuing to make headlines, companies have responded by rapidly increasing IT security spending even as overall IT budgets have remained flat or declined. Gartner predicts that security software spending will have a compound annual growth rate of 16.2% from 2005-2009 with information security spending representing approximately 6% of overall IT budgets.

It’s no surprise then, that business executives are beginning to question what they’re getting for their IT security spending.  Their tolerance for technospeak such as distributed denial of service attacks and buffer overruns is rapidly decreasing.  Networks were private and built around proprietary protocols.  Then seemingly overnight, applications were turned inside out.  Private networks gave way to the Internet for all communication and information sharing.  Worms and viruses became the norm and costs from security-related business interruption skyrocketed.

In its early phases, senior executives primarily cared about containing the security problem and let the technology experts decide what to do.  As budgets increased, the technology became at once more sophisticated and numerous, and eventually multiplied into a seemingly unlimited number of subcategories and products.  In this rapid spend cycle, IT security products emerged as standalone solutions, incapable of working in an ecosystem or sharing information among one another.

Are IT security teams equipped to think about “results” when they can barely keep up with the administration and information overload from all those products they acquired?  Executives set goals based on identified metrics, and then measure and manage to the established goal.  ROI is great when the goal is to increase revenues or reduce costs.  When all the technology talk is set aside, the goal of IT security can be simply stated as minimizing risk at the lowest possible cost.

Organizations will demonstrate how they are managing risk across their information systems and networks and compare today’s results to last week, last month, last quarter, last year.  And by comparing risk trends with security spend, executives will clearly understand how their investment in security is being managed, and the effectiveness of that spend. 

But should such an event occur, organizations will have clearly documented processes and metrics that prove a standard of due care was in place.

Measuring costs are easy, so let’s focus on measuring risk.  For example, advanced vulnerability and risk management systems can continuously identify and profile assets on a network to objectively and automatically measure vulnerability risk, configuration and security policy compliance and other specific metrics to produce a risk “score” for each device.  These asset risk scores can then be aggregated across the entire network and reported by region, application, operating system, business unit and numerous other ways.

Posted on 11/28