Metrics, measures & Myths

Metrics, Measures and Myths Ramsés Gallego CISM, CGEIT, CISSP, SCPM, ITIL, Six Sigma Black Belt Certified General Manager Entel Security & Risk Management rgallego@entel.es © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Today’s agenda • Some quotes and definitions • The myths • The power of metrics • Metrics: characteristics & classification • What are CSFs, KGIs and KPIs? • Examples of security metrics and KPIs • SIM and MMI architectures • The SMART side of metrics © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Let’s think about this • ‘Measure what is measurable and make measurable what is not so’ - Galileo Galilei (1564-1642) • ‘If you cannot measure it, you cannot improve it’ - William Thomson (Lord Kelvin), (1824-1907) © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Let’s think about this • ‘Measure what is measurable and make measurable what is not so’ - Galileo Galilei (1564-1642) • ‘If you cannot measure it, you cannot improve it’ - William Thomson (Lord Kelvin), (1824-1907) • ‘You cannot control what you cannot measure’ - DeMarco, 1982 © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Let’s think about this • ‘Measure what is measurable and make measurable what is not so’ - Galileo Galilei (1564-1642) • ‘If you cannot measure it, you cannot improve it’ - William Thomson (Lord Kelvin), (1824-1907) • ‘You cannot control what you cannot measure’ - DeMarco, 1982 • ‘Even when it is not clear how we might measure an attribute, the act of proposing such measures will open a debate that leads to greater understanding’ - Fenton and Pfleeger, 1997 © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Definitions • Governance: “The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and veryfing that the enterprise’s resources are used responsibly” © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Definitions: what is a metric? • The National Institute of Standards and Technology (NIST) define metrics as: ‘Tools designed to facilitate decision-making and improve performance and accountability through collection, analysis and reporting of relevant performance-related data’ • Metrics are simply a standard or system of measurement. In this case, it is a standard for measuring security, specifically measuring an organization’s security posture. Although there are some published standards for measuring security, ideally security metrics should be adjusted and tuned to fit a specific organization or situation © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Goals of this effort • Develop a security metrics framework that allows management and operators to assess their security improvements (time-relevant), guide their security thinking and aid in risk assessment for their environments © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Myths on metrics • #1 - a little data goes a long way – Fact: you can only improve what you measure • #2 - measurement is for punishing the guilty © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Myths on metrics • #1 - a little data goes a long way – Fact: you can only improve what you measure • #2 - measurement is for punishing the guilty – Fact: metrics are for problem solving and identifying opportunity areas © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Myths on metrics • #1 - a little data goes a long way – Fact: you can only improve what you measure • #2 - measurement is for punishing the guilty – Fact: metrics are for problem solving and identifying opportunity areas • #3 - we can’t measure what we cannot control © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Myths on metrics • #1 - a little data goes a long way – Fact: you can only improve what you measure • #2 - measurement is for punishing the guilty – Fact: metrics are for problem solving and identifying opportunity areas • #3 - we can’t measure what we cannot control – Fact: measure what you influence © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Myths on metrics • #1 - a little data goes a long way – Fact: you can only improve what you measure • #2 - measurement is for punishing the guilty – Fact: metrics are for problem solving and identifying opportunity areas • #3 - we can’t measure what we cannot control – Fact: measure what you influence • #4 - metrics are for measuring people © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Myths on metrics • #1 - a little data goes a long way – Fact: you can only improve what you measure • #2 - measurement is for punishing the guilty – Fact: metrics are for problem solving and identifying opportunity areas • #3 - we can’t measure what we cannot control – Fact: measure what you influence • #4 - metrics are for measuring people – Fact: measure the team contribution. They are an organizational tool © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Myths on metrics • #1 - a little data goes a long way – Fact: you can only improve what you measure • #2 - measurement is for punishing the guilty – Fact: metrics are for problem solving and identifying opportunity areas • #3 - we can’t measure what we cannot control – Fact: measure what you influence • #4 - metrics are for measuring people – Fact: measure the team contribution. They are an organizational tool • #5 - we must measure everything © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Myths on metrics • #1 - a little data goes a long way – Fact: you can only improve what you measure • #2 - measurement is for punishing the guilty – Fact: metrics are for problem solving and identifying opportunity areas • #3 - we can’t measure what we cannot control – Fact: measure what you influence • #4 - metrics are for measuring people – Fact: measure the team contribution. They are an organizational tool • #5 - we must measure everything – Fact: keep it simple so that everybody understands it © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

The power of metrics • It’s not in the details but in their clarity • Metrics allow executive management to: • Measure achievement • Drive performance • Improve and realign (towards goals) • Metrics should provide a holistic and balanced view of the business © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Metrics: what is needed? • The 7 attributes of Information criteria (also known as the “IC Profile”) • Key conditions before defining a framework: • Having a pre-defined business process • Having clear goals/performance requirements • Having quantitative/qualitative measures for the business process © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Metrics: Characteristics & Classification • Process Metrics • Objective/Subjective • Secure coding standards in use • Avg. time to correct critical vulnerabilities • Quantitative/Qualitative • Vulnerability metrics • Static/Dynamic • By vulnerability type • By ocurrence within a software development • Absolute/Relative life cycle phase • Management • Direct/Indirect • % of applications that are currently accepted by business partners • Trending: critical unresolved, accepted risks © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Metric Specification • Name of the metric • Description of what is measured • How is the metric measured • How often is the measurement taken • Range of values considered normal for the metric • Best possible value of the metric • Units of measurement © Source: Vicente Aceituno’s presentation for the FIST conferences in Madrid, 2008 © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

CSFs, KGIs and KPIs: what are they? • CSFs: Critical Success Factors or “vital elements” • KGIs: Key Goals Indicators or “what” has to be accomplished • KPIs: Key Performance Indicators or “how well” the process is performing © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Example of IT metrics and KPIs • % reduction in repeat security incidents • Increased number of secure assets from risk analysis audits • % reduction of blank passwords on critical systems • % improvement on time-to-access applications • Improved bandwith use due to only-professional web surfing • % reduction in the unavailabilty of services and components (linked with corporate infrastructure management) • % efficiency improvement based on number of RFCs processed regarding vulnerabilities • % reduction in installed software not taken from DSL © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Where do we show metrics?: Dahsboards and BSCs • Single point of information for infrastructure & security management • Help to make decisions and provide real-time answers to managers • Talk about the business, not about figures! • Need the involvement of the business and operations to be developed/designed in order to provide value • Web and role-based so as to get the right data (becoming the tool that consolidates siloed information) © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Some dashboard examples © Business Objects. Crystal Xcelsius dashboard from www.xcelsius.com © Business Objects. Crystal Xcelsius dashboard from www.xcelsius.com © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

Monitoring vs. Management T NG N E I M R GE TO NI A AN MO M Refine, analyze and Act on real business sort data that knowledge in a Value (and Cost) delivers security single place information according to Apply business Centralize access business need relevance to to data content information to and determine business applications priorities DATA INFORMATION ACTION KNOWLEDGE Level 2 Level 1 Level 3 Level 4 © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

The road to manage security information Alarm Escalation, Invoke Management Console, Response Response Model Management/Alert Management ● email ● Pager ● Cell ● ACTION Presentation Event Manage/Report Event Display, Trend Analysis, Security Reports, Performance Reports, Security System Health, Pattern Discovery KNOWLEDGE Assigning Ownership Prioritization Event Correlation Event Prioritization, Event Associations, Security Modeling Event Aggregation Log Data Reduction, Event Matching, Data Normalization and De-Duplicating Events Monitoring INFORMATION Reduction Data Filtering Event Monitoring, Third-Party Integration, Protocol DATA Data Repository Support Data Collection/Capture ● Syslog ● SNMP ● API ● © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

SIM and MMI Architectures query Policies Events Reporter Policy Manager Management Portal Collector ts er al Router Load Balancer SunOS Mainframe Windows X.500 Directory Router DB IDS Switch AIX Proxy Network Identity Applications /Hosts Security Systems Systems Information systems Systems © 2006 CA - All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

What can be achieved • KPIs that are a measure of how well a process is performing • The capability of predicting the probability of success or failure in the future • KPIs that are business-focused, process-oriented but IT-driven • KPIs that are expressed in precisely measurable terms • KPIs that, when acted upon, will help to improve the process • FOCUS on what is really important and has impact © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

The SMART side of metrics First business needs, then processes, then metrics, • then tools • Keep them simple • Use “as is/to be” & “is/is not” lists • Metrics should be S-M-A-R-T © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

THANK YOU Metrics, Measures and Myths Ramsés Gallego CISM, CGEIT, CISSP, SCPM, ITIL, Six Sigma Black Belt Certified General Manager Entel Security & Risk Management rgallego@entel.es © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

http://visionbi.blogspot.com	6
http://www.slideshare.net	4
http://www.lmodules.com	1
http://visionbi.blogspot.in	1
http://visionbi.blogspot.ru	1

Metrics, measures & Myths

by Ramsés Gallego

Accessibility

Categories

Upload Details

Usage Rights

5 Embeds 13

Statistics

Metrics, measures & Myths Presentation Transcript