Your colleagues on the business side are at it again. They're asking for proof of a return on security investment -- metrics. They are asking you to measure the "unmeasurable." It is disheartening to know that security will always be viewed as a cost center and never a profit center. This is, however, a reality of the business world. At its core, security is a risk management function. The challenge is that the classic models for ROI simply don't work well in security's business role. Security staffs prevent adverse events from happening to their companies, and how do you measure that?
Six Sigma is a statistical approach to process measurement used by corporations such as GE, Motorola and Ford for improving manufacturing processes. It is completely data driven and statistics are used to identify problem areas. These areas are then prioritized and resolved. Because Six Sigma reduces defects in process, it maximizes production line efficiency, thus improving profit. However, Six Sigma can be used for any process, and it has many adherents in the service industries.
The cornerstone of Six Sigma is WHAT is being measured. There are five major steps in using Six Sigma. These are:
- Define – performance improvement goals
- Measure – the existing system under evaluation
- Analyze – to eliminate gaps
- Improve – the process, be creative
- Control – institutionalize the improved system
Our security department used the first three steps of Six Sigma:
- Define. The goal in this case is simply to identify events that can be measured. Let's consider, for example, the theft of laptops storing valuable data. Another example might be a paper-based information risk audit thrown into a regular (versus shred) trash basket.
- Measure. We decided what "units" will be used to define the measurement. What is measured and what units to use are completely based upon the process being measured. For example, a forensic examination can be measured as "each" or in dollar terms based on the information recovered or lawsuit won. The measurement for the example of the stolen laptops might be each or a dollar value (of the information and/or the device itself) – or both.
- Analyze. We evaluated the business value of our measured events versus a planned security project, a headcount increase – anything that requires approaching the CFO for funding.
To create a larger statistical sample, we use freeware and commercial risk assessment tools. Please note that freeware tools are free in software cost, but not in the time needed to master them. Examples of time proven tools are the NIST SP 800-30, OCTAVE and OSSTMM methods. Commercial tools are usually more user-friendly and offer better reporting, but at a cost. Vendors to consider in this space are Relational Software (RSAM) and RiskWatch.
For the IT security data points, we looked at our SEM/SIM, which provides log and event correlation that supports events seen in one location by providing corroborating evidence in other locations. These tools provide data points that are of higher quality and can speak more clearly of the ROI/business value provided by security in protecting infrastructure. SEM/SIM tools also speak to content monitoring appliances that may provide more concrete content protection events. Since SIM/SEMs aggregate events they make it easier to show improvements after the define/measure/analyze process. Bottom line, SIM/SEM tools provide a larger data set to conduct your analysis upon and show improvements with.
All of this speaks to the business value of security. This has been the key for success: talking about business value provided, supported by the "metrics" we developed using Six Sigma tools. These tools allowed us to identify information security risks that potentially prevent the business from achieving its mission. They provided for Proscription vs. Prescription or providing protection before an incident instead of after an incident. They aided in creating a protection strategy and mitigation plans designed to reduce the highest priority information security risks.
With this framework, it's easier to present your case to senior management. Speak in business value terms and build management support for your project through the layers (bottom to top). Use the financial resources lost during incident response or investigations, starting with your most recent incident first. In general terms, use the results from your forensic exams (let the evidence speak for itself). Use your risk assessment or audit findings as your quantifying metrics. Ensure that you provide a tie-in to regulatory and privacy data breach requirements to show that this project protects your intellectual property and your senior management. Lastly, propose your project and funding in stages to garner the support of your CFO and his peers.
About the Author:
Tom Bowers, CISSP, PMP, CEH, is a technical editor for Information Security serves as the managing director of the independent think tank and industry analyst group Security Constructs LLC. Bowers formerly served as security manager for a pharmaceutical company.