According to a proverb, what you cannot measure, you cannot improve. Similarly, if an enterprise plans to improve its security posture, it should be able to measure it. But how can you measure the impact of your security efforts? Security metrics can be the answer to this, says Anurana Saluja, the associate vice president for information security audits and assurance at Infosys Technologies.
Infosys, the leading Indian IT-BPO company, employs more than 1,14,000 people. It has to meet the information security and compliance requirements of different clients and geographies. To this end, Infosys has established mature security processes and practices, as well as developed strong risk management frameworks.
Awareness about the need for security metrics began around 2006, when the IT giant felt a need to bring in more accountability as well as demonstrability with respect to its security posture and efforts. Infosys realized that though it had put a lot of security controls in place, it still needed to measure the effectiveness of those controls. That’s when the company decided to develop security metrics. “The key purpose of security metrics was to give assurance, enable decision-making, and bring improvement in the security posture,” says Saluja.
Security metrics allow organizations to measure the effectiveness of their security efforts. All security controls work toward reducing risk, but, asks Saluja, how would you know whether the risk has decreased or increased without measuring the current level of risk that the organization faces?
A company like Infosys has to manage thousands of desktops, laptops and systems. Hence the company creates automated controls to manage patches and antivirus updates on all these machines. Effectiveness of these controls can be discovered using security metrics. Suppose 95% of the company’s desktops are properly patched; this means that 5% are still vulnerable. Security metrics in this scenario will help to answer questions such as ‘What is the situation compared to last month?,’ ‘Is it deteriorating?,’ ‘If so, why?’ and ‘How can it be improved?’
What needs to be measured?
Infosys mainly measures risk exposure, the degree of compliance with policies and standards, and the effectiveness of controls. Some examples of the security metrics followed at Infosys include:
• Perimeter defense metrics (e-mail, firewalls, antivirus solutions and attacks)
• Coverage and control metrics (antivirus, patches and configuration)
• Availability and reliability metrics (uptime)
• Application security metrics (code security and vulnerabilities)
There’s no single risk indicator which can cover an organization’s entire risk posture. So the company needs to arrive at afew security metrics that are indicative of major risks. While selecting these metrics, Saluja advises the need to look for those that are repeatable, available, quantifiable and useful.
How does Infosys measure security metrics?
Security metrics mainly gather data, analyze this data, and identify gaps in the data that point to gaps in processes and technologies. This enables Infosys to fix these gaps and improve its security posture. Saluja says that while gathering data for security metrics, they ensured that it was independent from the owner of the system. It was critical that accountability for the data was established, and that the consistent quality of the data was maintained.
Infosys has developed certain home-grown systems for security metrics that pick up relevant data, process it, and correlate it with other systems. They also provide feeds to the areas where action needs to be taken. For example, if certain employees have left the company but their IDs are not deleted from the system, a metric captures this information and feeds it to the concerned system for required action.
Infosys has created a separate team to keep tab on these metrics. This team also envisions the new security metrics to be created in order to keep up with the changing times.
Challenges and benefits
The data owners’ buy-in was one of the major challenges in developing security metrics since they had to be convinced about the need to gather such metrics. Saluja says that strong management support, consistent periodic analysis and compliance enforcement are critical factors for the success of a security metrics project.
Infosys is a data-driven organization, and is responsible for the security of its customers’, employees’, partners’ and vendors’ data. Security metrics have allowed the company to provide the basis and evidence for its claims on security postures. The company has also been able to cut down the cost of security controls in several projects after demonstrating these security metrics.