Andrea Danti - Fotolia

Manage Learn to apply best practices and optimize your operations.

To prevent breaches, change security hierarchy and use better metrics

The security management hierarchy in most organizations isn't conducive to breach prevention, says Dr. Eric Cole. He explains the critical changes needed to empower CISOs in this month's Security That Works column.

As compromises continue to occur at an exponential rate and more data is revealed about the breaches, there is a core component to successful enterprise information security that many organizations are missing.

The fundamental problem is that security is not viewed as a critical business function within the enterprise. Many organizations do not have a CISO, and those that do have them buried under the CIO where their influence and control are limited. Therefore, critical information that might prevent a compromise is not being presented to the executives promptly or regularly, and often when it is delivered, it is not communicated using a metric that can be clearly understood and promptly acted upon.

This situation draws parallels to a similar one that occurred 30 years ago when organizations started using computers. As companies recognized the value of IT infrastructures, the role of CIO was created, yet in most organizations this role was buried within the hierarchy of operations teams. As computers and their role within the enterprise became increasingly critical, organizations realized that this reporting structure did not work, and the CIO slowly rose in the hierarchy to the point where today they report to the CEO.

Yet an often-overlooked component that contributed mightily to the rise and success of the CIO role was the creation of a clear metric that can be used to measure CIO success. In the industry this is known at the five nines. Essentially, CIOs must deliver 99.999% system uptime and availability. Having this as a clear metric allows for consistent communication between the IT engineers, managers, CIOs and executives so proper decisions can be made to achieve the common goal. In addition, since the CIO has direct access to the executives, any exceptions or problems that threaten the five nines objective quickly can be remediated.

This same transformation needs to occur within the security hierarchy. The role of the CIO and the role of the CISO are quite different and sometimes even contradictory. If security is reduced to merely one of many functions within IT, it puts the CIO in an unfair position and forces him or her to make security-related decisions that in reality need more executive awareness.

Recent breaches have proven that not having the CISO report to the CEO is a mistake.

The first change that is quickly happening is that the CISO is either reporting directly to the CEO, or at least being placed into a reporting structure that does not involve a conflict of interest. While giving up control is not something an executive ever likes to do, business leaders must accept the fact that running information technology and securing information technology are two different roles. They are complementary, but require a different focus.

In addition, critical decisions that put IT and security at odds should be a board-level decision. Recent breaches have proven that not having the CISO report to the CEO is a mistake. It is important to note that not only does the CISO need to report to the CEO, but he or she also needs visibility with the board of directors. If the CISO does not have a seat at the board table, then organizations must ensure someone with executive cybersecurity experience is on the board of directors. Breaches occur because organizations' decision makers do not receive security-related information that enables them to make decisions and take action in a timely manner.

Once the reporting structure is fixed, organizations need to identify a metric that can be used to track and assess progress. Ostensibly we need to identify the five nines of security.

After extensive analysis, the metric I suggest organizations use is "number of attempted attacks." What makes this metric valuable? Consider the following:

1. It focuses on the positive (fewer attempted attacks mean fewer potential breaches) and shows the effective job that is being performed by security stakeholders.

2. It is data that is readily available in most organizations. It is important to note that this will not be a 100% accurate number, since some attacks are not detected until after the fact. However, even if organizations treat this as a low water-mark, it still shows the executives how bad the problem is.

3. It level-sets the thinking that the organization is under attack and that breaches will occur.

4. It raises awareness across the executive team. Why use a motivational tactic that focuses on fear when you can use one that highlights fact?

How one calculates this metric, however, requires further discussion. The trick is to use a security device that every organization has, which allows the metric to scale across the industry. Every organization has a firewall and it is fairly easy to log the number of dropped packets. Another phrase for dropped packets is attempted attacks. If the packet was normal or legitimate, it would not have been dropped. Therefore, any packet dropped is someone attempting to break in.

Once again, note that this is an initial point of information gathering and should be treated as a low-water mark. The actual number of attacks is going to be much larger, but this metric offers an easily understandable perspective of how bad the problem really is. Remember, use it as a starting point; look to add in additional data points.

In evaluating this proposed metric, it is important to remember that if you do not like it, you have to identify something better. If you do not like the proposed metric but you do not have anything better, use it until you can find a better one. An organization cannot afford to continue to operate without a clear metric to measure information security success. The metric that too many organizations use today is, "If we do not have a breach, security is doing its job." This can be confirmed based on the high number of CIOs/CISOs that are fired after a breach. Since breaches are inevitable -- they happen to even the most security-aware organizations -- if you allow your organization to gauge its success solely on whether a breach event occurs, your time is limited at your current organization.

While there are many reasons to explain why organizations are being breached, one of the fundamental causes is that the proper information is not making it to the executives. There needs to be a clear chain of communication to the executives with a clear metric for success. Now is the time to make those changes. Consider this your call to action.

About the author:
Dr. Eric Cole, is an industry-recognized security expert with more than 25 years of hands-on experience. He is the founder and an executive leader at Secure Anchor Consulting where he provides leading-edge cyber security consulting services, expert witness work, and leads research and development initiatives to advance state-of-the-art information systems security. Dr. Cole was the lone inductee into the InfoSec European Hall of Fame in 2014. He is actively involved with the SANS Technology Institute (STI) and is a SANS faculty senior fellow and course author who works with students, teaches, and develops and maintains courseware.

Next Steps

Get advice for rebuilding information security processes and culture after an incident.

Marcus Ranum and Columbia's Joel Rosenblatt discuss security metrics to enable security automation.

This was last published in October 2014

Dig Deeper on Information security program management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

If you could, how would you change the security hierarchy of your organization to better prevent breaches?
Starting from the CISO down, I believe organizations need to go through some type of "security education" class / process. It can go a long way to help teach employees on proper security techniques. 
Sure, I'll be the guy who says, "yeah, what he said." But it's true, until we have education and buy-in, we're not going to be able to protect our data and organizations from outside agencies. It starts at the top and permeates an entire company.