The New Business of Security -- Metrics That MatterBy Sonny Discini
June 7, 2010
"A half hour lunch with the finance manager may yield more actionable security items than the combined reports of all your security devices."
For years now, we as security practitioners have been perceived as a road block to project timelines and overall efficiency of the business. Many security shops carried around a giant stick and typically said "no" to almost anything that came along. On top of this, we've had such a narrow focus about what we feel is important to "securing the enterprise" that we have been reporting things that have little to no meaning to the decision makers.
We must change this and begin recognizing the real value we add to the business -- that we aid the decision makers in making educated business decisions.
Security teams must make a decision in their current environment. We can stick to outdated methodologies and find ourselves sitting on the curb, or we can redefine how we exist in the business. The first place to start is measuring things that are meaningful and treat security as a business enabler rather than a business expense. "What do I as a security professional worry about?" is not relevant. "What does the business worry about?" is the question that really matters.
We've Been Doing It All Wrong
Senior management does not care how many spam messages the organization received last month. They don't care how many workstations are missing the latest Microsoft patches, and they certainly don't care that the organization had 23,000 "high" vulnerabilities reported from the VA scanner. They care about the goal of the business, which is usually making money.
However, you can't manage what you don't measure.
The right metrics come from asking the right questions. Questions like, what business are you in? Or are we about efficiency or efficacy?
Security as a Business Within the Business
Like any business, we need raw materials. For security practitioners, information is the raw material we use. Where we get it from and how we store it determines the quality of the output and its true value to the business. How do we get it? Ask yourself what new information you create from this raw material. Ask who your customers are. Ask how you package this information and how you deliver it to your customers. Is your information easy to get and easy to use to make business decisions?
Security must become fused with the business, and if we change our position and market our services correctly, security becomes a profit center rather than a line item expense.
Constant communication to your customers will broaden your reach to others in the organization to whom you may never have had a chance to speak. This will strengthen your "brand," extend your reach and ultimately align you with greater exposure to the entire business. This also means you will be involved in projects that otherwise may never have been known to you.
A Fresh Look at Meaningful Metrics
Let's look at some inbound logistical metrics that do have meaning. Things like percent of patch saturation over time, security events by demographic, percentage of patches released over time vs. what is relevant to the business, and common user inquiries. When you look at this information, the business can make decisions that are meaningful and cost-effective. For example, the percentage of patches released vs. what is relevant tells you -- yes, Microsoft released 40 patches, but because we have a hardened image, we may care about only four of them. This creates efficiency in the patching process, and ultimately it saves money by having personnel spend time only on the relevant patching rather than wasting time and money on things that have no impact on the business. Measure efficiency ruthlessly!
Once you have these measurements, you must make them easily accessible via self service, face-to-face or direct contact with the customer. As you find successes here, continue to market your offerings.
How Is Your Security Business Doing?
The simple thing we are going to strive for is demand. We want to be in constant demand from the business. Start measuring the number of hits to your security portal and the number of downloads of the materials offered there. Look for what customers mostly come there for, and embrace that in your services model. Measure your project pipeline. How many new projects are you taking in each quarter? Stay connected with what's happening by looking at the number of security-related support calls, the number of incidents reported by each business unit and the percentage of returning callers. Go out and talk to your customers!
Hence, a half hour lunch with the finance manager may yield more actionable security items than the combined reports of all your security devices.
If you are successful, they will come. But be careful. If your security program is wildly successful you may find yourself spread too thin and you run the risk of destroying the very thing that you built.