CyberSecurity Institute

Not only is it technically impossible to completely secure cyberspace, but the technology is complicated, the vocabulary arcane, and the expertise to make it happen hard to find — and even harder to apply.

Worse yet, most managers never learned how to calculate the value of — and communicate the business case for — cybersecurity. Yes, I realize that overall spending on cybersecurity continues to increase every year. Yet every executive I know is kicking and screaming about its cost along the entire way.

The sad reality is that every computer network has cybersecurity exposures. This is due in large part to the fact that most software and computer systems focus on function, not security. Security is bolted to computer systems using things like firewalls and intrusion-detection systems.

Additionally, the communications methods used to deliver data are over 30 years old, coming from a time when security was less of an issue.

Compounding the problem, as software has become more sophisticated, the code used to write it has grown significantly. Conventional wisdom says you can expect to find about one bug for every 1,000 lines of software code — and every bug is an opening for hackers. The 45 million-line operating system that runs your computer may have 45,000 ways to be breached by a hacker. These hackers are smart, and most have much more time to spend attacking you than a typical system administrator can spend defending against them.

Attacks are also becoming increasingly automated, which compounds the problem. Computer worms and other autonomous, malicious programs can attack and infiltrate these complex environments in a relentless, methodical fashion.

Most senior executives are aware of these cybersecurity issues.

The problem is that these issues rarely turn into funded information-technology projects when evaluated against other business priorities. Sure, every survey of chief information officers says cybersecurity is one of the very top issues for a company.

Yet in most executive suites, cybersecurity is considered necessary to stay in business, but not to make the business bigger. So what if a PC gets hammered by a worm? It won’t kill the business, and the expense to clean it up will be minimal.

There’s a way to deal with this dilemma.

Chief information officers need to translate the IT priority of cybersecurity into a business priority that the CEO can’t ignore.

Asset protection: Most businesses recognize that they must protect their physical and intellectual assets. For example, they can’t let someone steal their patents.

The same kind of rigor that is applied to valuing, protecting, and insuring traditional assets needs to be applied to cyberassets. If someone steals your customer- or product-development data base you could be put out of business.

Brand protection: Every CEO is concerned about the outfit’s brand. CEOs can increase the perceived value of the company through the equity they build in their brands. What if your company is hit by a hacker and all the credit-card data from the e-commerce wWeb site is compromised? What happens to the value of the brand — and to your stock price?

Compliance: Probably the strongest justification for investing in cybersecurity is that you don’t have a choice: It’s the law.

http://www.eweek.com/article2/0,1759,1765331,00.asp

What’s important to energy provider Georgia Power (federal regulation compliance, for example) may not be important to coffee purveyor Starbucks (armed robbery statistics, for example). “Clearly, statistics on their own don’t make a very good read,” says John Hedley, head of group security for food maker Nestlé.

Francis D’addario Starbucks Metrics insight: Rigorous tracking of processes leads to improvements and business value.

Here is the story of four security executives in different industries who give a rare peek into the physical security metrics that are important to them, their CEOs and their organizations. Taken together, data points and measurements help them keep a firm grip on the most important metric of all: How much confidence the rest of the organization has in the security department.

To Francis D’Addario, the connection between security metrics and how effective he is as CSO of Starbucks is simple: His mission to protect people, secure assets and contribute savings year over year is validated with key performance indicators. Whether D’Addario, vice president of partner and asset protection at the $5.3 billion coffee and food retailer, is talking about physical assets (stores and equipment), liquid assets (cash and coffee) or human assets (employees and customers), using metrics is how he judges the success of his security group.

First and foremost on the priority list, D’Addario says, is the safety of people. The frequency of armed robberies at retail outlets, for example, is an important metric at Starbucks and within the retail industry.

Nestlé Metrics Emphasize Prevention and Protection
When there is civil war where your people are working, one physical security metric rises above all others: Keeping all of your employees alive. Hedley’s security staff, led by a regional security manager based in Abidjan, the commercial capital, set in motion an evacuation plan for the international Nestlé employees when it was clear that the violence was escalating to a dangerous level. “We have not done a cost-benefit analysis of how much money we have saved because of the security plan in place,” Hedley says, adding he was not sure of the evacuation’s cost. The areas most important to him are Nestlé employees, distributors and consumers; company property; and the strength of Nestlé’s reputation and brand.

Utility Uses Government Rules to Build Metrics
Margaret Levine, corporate security manager at Georgia Power, has found ways to convert the necessary burden of regulation into a bounty of physical security data for the electric utility. Readiness reviews are planned events and are a key component of Georgia Power’s business continuity program. The reviews assess whether employees and site security professionals at a particular facility understand that facility’s threat plans and know what to do when the threat level is raised or lowered.

Tracking Trends Incident trends and loss trends are next on Georgia Power’s metrics list. Levine says that it’s critical to be able to demonstrate that a CSO’s security program is a significant mitigating factor in preventing increased incidents and losses. Levine can compare incidents by quarter, year-to-year and across multiple years. She can note the changes in the number and frequency of incidents by type of incident (for example, thefts, threats against employees or sabotage), by line of business (generation, transmission, distribution, staff services) or by location.

She follows the same process for tracking losses; she says she tracks property and monetary losses. The key, she says, is if you’re not able to prevent losses, then “you can demonstrate an ability to quickly pinpoint where the weakness was and put in place the appropriate stopgap measures. Levine adds that metrics must be more than in-house security tools; they have to be relevant to the people she supports—business executives, plant operators, substation engineers, customer service managers. She says her reports must contain information that is important to them, not just to security managers.

Depending on the type of data and compliance requirements, Levine reports her metrics monthly, quarterly or yearly. Levine says Georgia Power collaborates on metrics reviews with other security managers from within Southern’s 12 operating companies.

(Besides Georgia Power, there are four electric utilities and companies in wholesale power, power generation management, natural gas, nuclear power and energy services. Southern also owns a wireless company and a fiber optics business.)

As for data quality, Levine says that it’s important to watch out for the equivalent of scorekeeping changes. She says Georgia Power recently transitioned from a 10-year-old case management system to a new system developed last year by Southern’s security managers. The case management system is a database that records all the details of incidents that are reported to corporate security. This includes an incident narrative and summary; victim, witness and reporting party names; losses; investigative activity; and case resolution. For example, the old case management system had separate incident categories for burglary, larceny, fraud and robbery. But in the new case management system, all of those crimes are categorized as financial matters.

“To make an apples-to-apples comparison between the old and the new, we have to select a specific subcategory (for example, larceny) in the new system,” Levine says.

http://www.csoonline.com/read/020105/metrics.html