Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Phil Cracknell - Metrics – The art of comparing Apples with Mango

314 views

Published on

Our profession (Information Security) has waited patiently for a balanced, independent and common collection of metrics, KPIs, measurements or risk indicators – call them what you will, but something that CFOs have had the equivalent of forever.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Phil Cracknell - Metrics – The art of comparing Apples with Mango

  1. 1. INFORMATION SECURITY METRICS COMPARING APPLES WITH MANGO
  2. 2. PHIL CRACKNELL WHAT I AM • FELLOW OF THE BRITISH COMPUTER SOCIETY • CISSP • 25 YEARS IN INFORMATION SECURITY • FORMER CISO (5 TIMES) • HEADED CONSULTANCY PRACTICES • FOUNDER OF CLUBCISO • TECHNOLOGY AGNOSTIC • AND OF COURSE… • CYBER SECURITY PERSONALITY OF THE YEAR 2015 WHAT I’M NOT • SELLING ANYTHING • GAINING OR PROFITING FROM THE METRICS PROJECT • ANTI-VENDOR
  3. 3. AND SO TO THE DEALERSHIP… QUITE LONG HARD TO PARK IN SMALL GAPS WILL FIT UNDER CAR PARK BARRIERS THERE’S 4 OF ‘EM NO CD FITTED SEE ABOVE DEPENDS ON LUGGAGE TRY TO KEEP IT OFF THE KERB WHEEL ON EACH CORNER WILL GET YOU TO WAITROSE AND BACK ONE MEDIUM LOUIS VITON CARRY-ON AND 3 GOLF CLUBS
  4. 4. WHY THEM AND NOT US? • OUR PROFESSION (INFORMATION SECURITY) HAS WAITED PATIENTLY FOR A BALANCED, INDEPENDENT AND COMMON COLLECTION OF METRICS, KPIS, MEASUREMENTS OR RISK INDICATORS – CALL THEM WHAT YOU WILL, BUT SOMETHING THAT CFOS HAVE HAD THE EQUIVALENT OF FOREVER. • EBITDA, PE VALUE, DAYS TO CLOSE, FINANCE HEADCOUNT RATIO – CFOS CAN QUOTE THEM MERRILY TO EACH OTHER AS IF THEY WERE TOP TRUMPS, THEY CAN EVEN QUOTE THEM TO COOS AND CEOS AND NOT GET A PUZZLED LOOK. • WHY HAS THIS UNIVERSAL UNIT OF MEASUREMENT EVADED INFORMATION SECURITY PROFESSIONALS FOR SO LONG? • WHY DO WE PERSIST IN DIGGING A HOLE, MOVING ASIDE THE EARTH, TAKING OFF OUR SHOES AND JUMPING RIGHT IN IT EVERY TIME WE QUOTE THE FIGURES THAT WE DO HAVE TO A C-LEVEL IN OUR BUSINESS?
  5. 5. BUT WHY? • I’LL TELL YOU WHY, IT’S BECAUSE THOSE NASTY VENDOR TYPES GOT TOGETHER, REALISED THAT WE WERE NEVER GOING TO HAVE ANYTHING PLAUSIBLE OR TANGIBLE TO SCARE OUR BOARD AND SO THEY KINDLY FILLED THE VOID, PRODUCING VALUE AFTER VALUE • 47.6% COMPLIANCE WITH POLICY – EVEN WHEN IT’S ONLY PARTLY WRITTEN AND NOT YET SOCIALISED… • 32,000 ENDPOINTS INFECTED WHEN WE ONLY HAVE 2,500 STAFF AND SO ON. • SERIOUSLY, WE CAN’T BLAME THE VENDORS THOUGH, THE VALUES PRODUCED BY THEM, VALUES THAT WE HAVE RELIED UPON AND TRIED TO EXPLAIN IN TERMS THAT A BOARD CAN UNDERSTAND, GENERALLY REFLECT THE PERFORMANCE OF THEIR PRODUCT – AND WHY NOT?
  6. 6. PROJECT “METRICS” • BUSINESSES ARE WAKING UP TO THE FACT THAT THEY NEED METRICS/RISK INDICATORS THAT OUR BOARD, AUDIT COMMITTEES AND NON-EXEC DIRECTORS UNDERSTAND, FOR THEY ARE THE KEY TO BUDGET, EXTRA STAFF, A CORNER OFFICE AND A JOB FOR LIFE • OK, MAYBE TWO OF THOSE ARE NOT TRUE, BUT THEY WILL MAKE LIFE EASIER. • IT’S NOT UNCOMMON TO GET THAT MONDAY MORNING SWOOP-BY WHEN THE CEO HAS READ SOMETHING IN THE SUNDAY TIMES AND WANTS TO KNOW “WHERE WE ARE WITH THAT ONE?” • “AND WHAT ARE OTHERS DOING?” • METRICS, AS CLUBCISO ORIGINALLY DECIDED TO CALL THEM, ARE THE KEY TO OUR FUTURE. THEY ARE BEING DEFINED BY CISOS ALONE, THEY DETAIL EXACTLY HOW WE DEMONSTRATE OUR EFFECTIVENESS, PINPOINT OUR RESPONSIBILITIES AND HIGHLIGHT INVESTMENT OR LACK OF IT, AND WHAT ENSUES…THEY WILL CHANGE THE WORLD.
  7. 7. HOW IT ALL BEGAN… • SO WE GOT 25 CISOS TOGETHER IN A WORKING PARTY, A COMBINED 350 YEARS OF INFORMATION SECURITY EXPERIENCE, AND WE GRABBED A SUPPLY OF POST-IT NOTES, PENS AND ASKED THE CISOS TO WRITE DOWN WHAT THEY CONSIDERED TO BE THEIR TOP FIVE METRICS. HAVING STUCK THE NOTES ON THE WALL WE THEN PROCEEDED TO GROUP THE NOTES INTO COLLECTIONS OF SIMILAR VALUES. THE RESULTS SHOWED FIVE GENERAL ‘HEADINGS’ OR FAMILIES INTO WHICH THE MAJORITY OF POST-IT NOTES FELL. THIS WAS OUR STARTING POINT. • IT’S NOT JUST ABOUT CREATING A FRAMEWORK FOR METRICS AND THEN INDIVIDUALLY PRODUCING THEM, WE HAD TO CUNNINGLY ESTABLISH A SECOND WORKSTREAM - A COMMUNICATIONS GROUP, TO LOBBY, EDUCATE AND INFORM AUDIT COMMITTEES, DATA PRIVACY OFFICERS, NON-EXEC DIRECTORS AND INFLUENCERS ON WHAT EXACTLY THE METRICS COULD DO FOR THEM. • THEY MAY NOT FULLY APPRECIATE A TOP LEVEL METRIC AT THE MOMENT, BUT THEY ARE MORE THAN FAMILIAR WITH BOARD RISK INDICATORS, AND OUR TOP LEVEL METRICS WILL ULTIMATELY FEED INTO THESE ALREADY UNDERSTOOD VALUES AND ADD SOME FURTHER PERSPECTIVE. • GOING FORWARD, WE WANT TO BE ABLE TO DEMONSTRATE ‘WHAT IF’ AND INVESTMENT MODELLING SCENARIOS TO SHOW TRENDS IF WE INVEST MORE, LESS OR DIFFERENTLY.
  8. 8. METRICS – TOP LEVEL Exposure Agility Culture Incidents 3rd Party Management Access & Controls
  9. 9. IF CARLSBERG MADE SECURITY METRICS…
  10. 10. CISO BUMPS INTO CFO AT COFFEE MACHINE CISO - “WE HAVE DETECTED 55,000 VIRUSES THIS MONTH!” CFO - “WOW” CISO - “AND THERE WERE 60,000 THE MONTH BEFORE!” CFO - “IS THAT BETTER OR WORSE?” - SILENCE - CFO – “ARE WE DETECTING LESS BECAUSE WE ARE LOSING LAPTOPS OFF OUR NETWORK OR ARE WE BEING TARGETED LESS?” CISO - “ERRRR” - TUMBLEWEED MOMENT – CISO – QUICK THINKING AND CHANGING THE SUBJECT - “AND WE’RE RIDDLED WITH MALWARE YOU KNOW…?” CFO - “HOW MUCH DOES THAT COST US?” - SIGH -
  11. 11. FINAL THOUGHT Report what is important not what you can Email phil@info-secure.co.uk Twitter @pcracknell

×