Data breaches seem to have been constantly in the headlines in recent years. This has caused many top level executives to ask this question of their information security officers: “How safe is our data?” In the rapidly evolving world of cloud computing and data centers, this question, and the ability to monitor and measure security information, has become crucial to the way businesses operate.
Security metrics, when utilized properly, help organizations with better security practices, better training, and better tools where they’re needed. Furthermore, when these are presented in a coherent fashion they can quickly and painlessly show the ROI from good, well thought-out security procedures to the rest of the board.
Writing in Information Week’s Dark Reading e-zine, Ericka Chickowski examines five of the best practices for measuring the IT security of any business:
“Start with a baseline”
The first step to solid security monitoring is to set up and establish a baseline. Further, future analysis will be meaningless if you cannot properly define what ‘normal’ is supposed to look like. This makes it easier to spot any aberrant or anomalous behavior and quickly take action against threats.
“Put the microscope on vulnerabilities and patch management”
The goal here is to reduce the amount of time between a patch release and its deployment, so-called “patch latency.” The smaller this number, generally the more secure a system will be. This minimizes the amount of time a vulnerability in software is open for exploitation and is one of the key available security metrics.
“Keep better track of incident response performance”
Much of the work should really be about risk mitigation, rather than risk prevention. Understanding that there is no magic bullet that will keep all the bad guys out of the system is crucial to lowering the risk of a critical data breach. This means focusing on tracking and monitoring incident response practices instead of sticking heads in the sand.
“Keep tabs on access control”
One of the best ways to measure IT security is to ensure a solid understanding of how users access a system, and to keep tight control of what they do with the information. Keeping tabs on the identity of those accessing the system and what they do with the information can be crucial to minimizing the risks associated with user behavior.
“Measure with an eye toward ROI”
Many of these metrics can be used as KPIs to illustrate how risk postures are either improving or deteriorating. However, these alone will not prove the cost-benefit to the business as a whole. They need to be put into context.
Overall though, no matter what metrics are used – experts “consistently recommend that they are measured more often.” Annual reviews hamper incremental change, and in the fast-moving world of IT security this is something that needs to change.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”