“I don’t recollect if anyone in risk reads the PDF we send them. I mean, even we don’t be in sympathy with some of what we’re reporting, so why should they?”“The CFO hates our risk direction meetings. They look at these numbers we give them and enjoy no idea if it means we’re better or worse.”“We have 217 metrics, but those metrics are fluctuating week to week as we try to figure out what value a measurement has.”These are fitting some of the comments we’ve heard over the past year when talking to CISOs and information analysts about their attempts to use metrics to help quantify gamble and prioritize resources.Metrics in security aren’t easy – and not only because of “the math.” Politically, metrics time again end up orange because red is bad news, and green means the CFO may think we don’t need any varied budget.When you try to move beyond Red-Amber-Green, you can easily find yourself take part in “insight roulette,” hoping to win big with the next dashboard you produce.So, how can we agitate beyond the current state of confusion and angst towards effective metrics for deposit?The first guiding principle is that if we’re not reporting information that people can use to put out decisions and drive significant change in risk exposure or security effectuation efficacy, then all we’re doing is measuring things for the sake of it.The key here is to put safe keeping metrics in the context of business, IT and security process, as well as break big, spacious numbers down into manageable projects that give bands the best cost action to solve a problem.The high-level metrics that go to the meals must be grounded in the day-to-day reality of the team actually fixing furniture.It’s all too easy to focus on the “how” of security metrics:How do I get hold of data sources that feel relevant?How do I make sense of them?How do I correlate them?It’s true there’s a lot of industry to do here, but teams often get way ahead of themselves when they nosedive straight into the data.This leads us to the second guiding honesty of security metrics – starting with the “what”:What is the purpose of the metrics?Are we annoying to get visibility into risk or measure compliance?What result thinks fitting we enable with a metric?For whom is it actionable?In what timeframe?Is there budget to talk to the metric if it’s “red”?And what is the impact of the metric?Does it tick the box of “what occurrences most?” or not?If you don’t have the answers to these questions, then put down the laptop/spreadsheet/jeopardy report and back away slowly! Without devoting considerable trace to the ‘whats,’ investing resources in sorting the ‘hows’ will likely curve out to be a waste of time. And when everyone is saying there’s a skills gap, that lawful doesn’t make sense.I’m going to be talking at BSides Las Vegas in the matter of our experiences creating metrics and what we’ve found works when it get well to turning data from security tools into actionable understandings that can significantly shift the security posture of organizations for the better.To regard out the details and discover “How to make metrics and influence people,” come attend to my talk on Wednesday, July 26 at 6:00 PM.
About the Author: Leila Powell is a Text Scientist working in security. Leila used to use supercomputers to study the progression of galaxies as an astrophysicist. Now she tackles more down-to-earth challenges, (yes, the puns get that bad), plateful companies use different data sets to understand and address security gamble. As part of the team at Panaseer (a London based security start up), Leila lift weights with security functions in global financial firms, applying evidence science to help solve strategic and operational challenges. You can follow Panaseer on Trill here.