On the surface, it sounds like the perfect tool: a dashboard-like interface that gives IT managers a 360-degree view of their company's security posture. It tracks vulnerabilities and malicious activity, prioritizes risks, and assesses the most appropriate actions.
But experts say the technology is young and products designed to show you the most data aren't always best. For now, they say, companies should settle for a product best tailored to their unique needs. Or they can wait a few years for the technology to improve.
"I do think we will get there in some fashion," said Shon Harris, CEO of Florida-based Logical Security and contributing author of the book Hacker's Challenge. "I don't think we will have our utopian tool for another five years, but as the interest and demand and potential profit for this type of product grows, innovation and new products will be right there. As we continue to evolve and integrate security at the business level, the demand for this type of innovation will really step up."
The pros and cons of security dashboards was the focus of a panel discussion at last week's Information Security Decisions conference in Chicago. Andrew Briney, editor-in-chief of Information Security magazine, moderated the discussion between Harris, Bill Boni, vice president and CISO of Schaumburg, Ill.-based Motorola, and Pete Lindstrom, research director of Spire Security in Malvern, Penn. During the discussion and in follow-up interviews, the panelists agreed that today's dashboards offer useful features, but also drawbacks.
"I get a little nervous when people define this as a security dashboard," Lindstrom said. "I worry that people lose track of the functionality issues and get caught up in talks about the perfect dashboard. Having a dashboard that has everything isn't always practical or useful. You're looking at too much on a small screen. People should be looking at the strategic side of things, rather than having a board that lists everything out there."
For Boni, the best kind of dashboard is one that tells him if "the ThreatCon is more urgent than when I went home last night" and keeps track of what capabilities the company has in place. "I won't get fired for new vulnerabilities and exploits," Boni said. "But I have an excellent chance of getting fired if the exploit is for a vulnerability that has been there for awhile without being fixed."
All agreed the essential elements of a good dashboard are:
- Asset discovery and management;
- Vulnerability remediation;
- Threat correlation and assessment;
- Compliance and policy management;
- Reporting and auditing;
- Prioritization of risks and remediation workflow; and
- Treatment of operational risk as a lifecycle.
They also agreed obstacles to the perfect dashboard are:
- Poorly conceived and executed risk analysis models and processes;
- A constantly changing risk environment;
- Evolving, immature technologies;
- Immature communications protocols and standards; and
- Poor understanding of the relationship of technical risk to business risk.
"When I think of security management and dashboards, I want to know key policies that apply to companies," Lindstrom said. "How do those policies match up to regulations? How is a company doing when it comes to compliance? What are the exceptions? There is no one-size-fits-all solution."
In the end, Harris said today's dashboards illustrate the general status of the information security market. "The industry is just now starting to explode," she said. "Many corporations are still trying to understand security as a business issue. The market is the driver, and market demand will lead to many of the things that are lacking today."