SAN DIEGO – Security pros need to think more objectively and begin measuring the success of their programs to justify spending and show the value of ongoing projects.
That was the message given to attendees of the Burton Group Catalyst Conference '08 by Pete Lindstrom, a senior analyst at the Midvale, Utah-based research firm. Lindstrom is touting a new model to help security pros measure and articulate security program successes and failures to senior management.
"We need to get objective and quantitative in our environments in order to better manage our programs," Lindstrom said. "We have to collect ourselves together as a profession and define what it means to meet our security objectives."
In his session on developing a security metrics program, Lindstrom said the goal is to better characterize the nature of threats, risks and vulnerabilities in the company's environment. Security professionals are at a point where dealing with viruses and worms are routine, so it's time for them to better understand the technical environment of the enterprise and the business objectives, Lindstrom said.
"We have to know about the various transactions that are out there and we have to keep track of them," he said.
Security experts, researchers, analysts and practitioners have been working to get organizations to change their approach to measuring security effectiveness. A new book on the issue, The New School of Information Security, by Adam Shostack and Andrew Stewart, says the lack of security metrics hampers security pros from making informed decisions on strategy and policy.
The Burton Group's Lindstrom agrees. He described a new model that breaks out the cost of the security program, the number of incidents, the number of controls deployed in the environment, and the number of transactions to determine the value of a security program. To make the model work, Lindstrom said security pros need to begin immediately collecting information, such as spam numbers, antivirus statistics and patching numbers.
"This is to validate what you're doing and provide a decision over the long haul," Lindstrom said. "We have to do it if we're going to be objective about making appropriate security decisions."
Ultimately, security pros will be talking about the successes of the security program to the company CIO and other senior level managers. But in many cases, people are unprepared to speak the business language, said Ken Anderson, executive strategist for Burton Group's Executive Advisory Program. Security pros need to start preparing by having the program's goals clearly documented and getting the department in agreement on a common set of operational metrics.
Anderson said security pros need to show the formula used to arrive at a specific risk level. A language gap continues to exist between business managers and IT, he said. Security pros need to modify their language to clearly articulate their goals and objectives and how the security team is meeting them.
"Sell people, not just metrics, but you still must build up context," Anderson said. "If you do this right you will not just be a budget line, you'll be adding value."
Lindstrom is also developing a formula to determine the top strategic metrics, such as identifying the transaction value and cost factors, as well as discover the total cost of controls and control effectiveness ratio.
David Padresky, a security manager at a firm that runs a chain of restaurants, said that metrics could help motivate the entire security team. It has been difficult to set goals and measure how well they have been achieved, he said.
"It's easier said than done because there's really no one-size-fits-all approach to it," Padresky said. "We need to start doing a better job analyzing our effectiveness and communicating our successes."