A couple of blogs ago, I discussed security metrics and described the information on my dashboard. One important point that I failed to make is that, given all the metrics, how vulnerable do we really think that we are? In other words, should we also include some subjective status along with all the tangible stuff that we can measure with reporting tools?
We might make the assumption that senior management are only interested in facts and figures that can be backed up by statistics in a workbook. In fact, experience tells me otherwise. The point was made a few days ago when a senior executive, faced with my sheet of green, yellow, and red status symbols, asked me bluntly “all good, but how secure are we – is there anything that should be keeping me awake at night?”
According to Gartner senior managers want, out of metrics, “a high-level understanding of how the security program identifies and manages risk to the business, and how the security organization’s efforts can support — and not obstruct — their business goals.” I disagree. I think senior managers want to know that security is being taken care so that they don’t need to be concerned about it. Let’s forget all this bullshit about security being a business enabler – we can stop fooling ourselves about that particular line of sales – it’s about protecting reputation and revenue. Security is a cost of doing business and has little to do with enablement. When we present a sheet of carefully prepared metrics, the only question the senior manager really wants answered is “is there anything I need to do or be concerned about?”
And the answer is, yes of course there is. And the reason is that we can have the greatest and prettiest dashboard of metrics but inevitably we can’t control every document and we can’t validate every transaction on the network, nor can we predict where the next zero day attack is going to hit. So, the best we can hope for is that the metrics identify where the security programme is running most efficiently and where it requires more focus.
So, bottom line, will I be including intangible opinion along with my objective data in future reports? No. Metrics need to be specific and measurable facts. If a conclusion can’t be drawn from the way that the metrics are presented then work harder on getting them right. Clearly, I haven’t yet got it right otherwise the senior executive wouldn’t have needed to ask me his question.
So, this week, my report card says 7 out of 10, must try harder!