Security Metrics - Are we secure?

It’s crunch time and some facts and figures are needed to demonstrate security status to senior management. How are you going to do that? I’ve been working for a while on making sure that I have access to a decent set of data from across the whole business and setting up a dashboard for myself so that I can report on timely data that provides a good view of how well information security is being managed.

It’s not been simple. Since coming into the role I’ve been struggling to find a decent set of metrics that answers the question of how secure we are in a way that satisfies management’s desire for straight-to-the-point, quick to interpret, accurate and timely data. It hasn’t helped that much of the information I’ve wanted to present has to be acquired from some very remote business units where my description of requirements has frequently been misinterpreted with resulting confusion and frustration on both sides.

I also only want to present metrics that demonstrate something tangible. Spam statistics and firewall logs do not provide management with useful facts that anyone can do anything about. Interesting as they may be and while such data is useful for me and others within the various IT departments, they don’t really indicate our security status.

So, let’s answer the questions: Are we secure? How well is security being managed? Are we on track towards mitigating any outstanding risks to data? Have we had any security incidents? Each of these are metrics on which we can set some measurable objectives. I’ve used the following sets of data to measure them.

Results of network vulnerability testing. Regular testing (I use weekly) of external IP ranges provides an excellent view of security status. Security issues are quickly identified and can be just as quickly remediated. Any outstanding issues can be reflected in the metrics. I use red, green, or yellow depending on the status for each part of the business. I’ve found that the threat of a red mark on a management report is incentive enough to spur local teams into action if nothing else is going to work!

Statistics relating to deployment of patches. This is a measure of how well security is being managed. I’m looking at how successful local teams are at deploying critical patches to desktops and servers. In an environment with hundreds of desktops I’d rarely expect 100% deployment, but 95% should be achieveable in a timely manner.

Project plan status. I have a project plan for security delegated to each security manager across the business, varying depending upon risk mitigation tasks we’ve identified relevant to their location. Tracking the status of these plans provides another metric for guaging security management and risk mitigation status.

Number of security incidents. Hopefully none at all but a useful section to have on the report, showing what happened, where, and what the consequences were.

There are plenty of other statistics I can – and do – gather for operational uses however the focus here is on satisfying senior management and their desire to know the answer to the question of “how secure are we?” I think this does the job. Would be interested to know what you think.