SlideShare a Scribd company logo

Metrics & Reporting - A Failure in Communication

Chris Ross
Chris Ross

Wisegate recently conducted a research initiative to assess the current state of security risks and controls in business today. One of the key takeaways? A concerning lack of metrics and reporting on the subject. While CISOs claim to be improving corporate security all the time, there is little ability to measure that success. In this Drill-Down report, Wisegate uncovers where most organizations stand when it comes to metrics and reporting, and how it is affecting their businesses on the whole.

Technology
1 of 12
Download to read offline
22
Metrics & Reporting 2 CONTENTS Metrics and Reporting ............................................................................................................. 3   The Problem Measured........................................................................................................... 4   Is This Important? ................................................................................................................... 5   ‘Communication is What the Receiver Does’ .......................................................................... 6   What IT/Security is Doing........................................................................................................ 7   The Danger in Poor Communication..................................................................................... 10   What is IT/Security Doing About this Lack of Communication? ............................................ 10   What Should IT/Security Be Doing?...................................................................................... 11   © 2014 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.
a Failure in Communication 3 In June of 2014, Wisegate conducted a member-driven research initiative designed to assess the current state of security risks and controls in business today. Assessing IT Security Risks addresses many of the top takeaways from this survey. This document is the first in a series of reports designed to look more closely at four specific issues highlighted by that survey. » Metrics and reporting » Malware and data breaches » Data-centric security » Automation and orchestration Metrics and Reporting This document might have just as easily been titled, ‘The Lack of Metrics’. It is highlighted in a simple conclusion reached in Assessing IT Security Risks: “Overall, [security] teams were optimistic but not overwhelmingly confident.”
Metrics & Reporting 4 On the surface, this statement appears to hide a contradiction: how can someone be genuinely optimistic without being simultaneously confident? That apparent contradiction hides a potentially widespread problem in information security: CISOs are always improving their company security; there is little ability, however, to measure that success (or indeed, lack of it). Without having the metrics of success or failure, security teams can be optimistic in what they are doing—but cannot ultimately be confident in its effect. This problem is then compounded. Metrics form the basis of business-level reporting, and without those metrics IT struggles to effectively communicate security issues to Business. The Problem Measured Participants in this survey were asked, ‘do you have metrics in place to track your top three risks?’ (see Figure 1). Overall, 50% do not have metrics. …the real problem with security risk management in the enterprise isn’t of confidence—it’s of measurement; survey respondents don’t really have a good way of indicating the effectiveness (or lack thereof) of existing programs. —Assessing and Managing IT Security Risks Figure 1: Survey Question: Do you have a metric to measure the risk in your top three areas of concerns? Source: Wisegate June 2014
a Failure in Communication 5 The problem is that there is a general acceptance that all three top risks are growing—more than 80% of participants believe that major risks are increasing in their industry (see Figure 2). [Note: These three ‘top risks’ are non-specific—they are whatever the participant considered to be his or her personal top three risks. Overall, the top three risks are malware, data breaches and outsider threat.] Figure 2: Survey Question: Which risks are growing for your specific company and industry? Source: Wisegate June 2014 What this means, in effect, is that IT cannot accurately communicate an increasing security risk to Business; and Business cannot accurately understand that security risk and its possible impact on the business. Is This Important? This lack of communication is very important, for three particular reasons: » Real security cannot be achieved without full Business buy-in. » Business is likely to become suddenly very keen on understanding security following the recent prosecution of FedEx in what can be seen as an extension of the ‘failure to prevent’ theory. “This bodes ill not only for corporations that fail to prevent criminal activity, but for corporate compliance officers whose programs,
Metrics & Reporting 6 when scrutinized under the glare of 20-20 hindsight, may be found deficient.”1 It is possible that within a relatively short period, individual board members could be held legally liable for security failures. » Boards are being urged by the National Association of Corporate Directors to be more proactive in information security. The reality is that possibly for the first time, corporate boardrooms are taking cyber security seriously. The continuous flow of news of major security breaches in major companies is having an effect. Boards are asking: » How does our security stack up? » How do we compare with other companies in our sector? Without adequate security metrics to answer those questions in the language that Business understands, IT/Security will miss a major opportunity. ‘Communication is What the Receiver Does’ It is a tenet of communication that you have to listen. There are signs that Business is ready to listen. In July 2014 the National Association of Corporate Directors published a new handbook for its members: Cyber-Risk Oversight2 . Its advice to directors is organized around five key principles: 1. Directors need to understand and approach cyber security as an enterprise-wide risk management issue, not just an IT issue. 2. Directors should understand the legal implications of cyber-risks as they relate to their company's specific circumstances. 3. Boards should have adequate access to cyber security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. 4. Directors should set the expectation that management will establish an enterprise- wide, cyber-risk management framework with adequate staffing and budget. 5. Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach. 1 The Rise of 'Failure to Prevent' Crimes and CCO Liability; New York Law Journal (27 October 2014): http://newyorklawjournal.com/id=1202674374593 2 Cyber-Risk Oversight Handbook (free to NACD members): http://www.nacdonline.org/cyber
a Failure in Communication 7 That last point highlights the need for discussion between IT/Security and the board. When the handbook was first published, Internet Security Alliance President Larry Clinton commented, "Most business leaders do not spend a lot of time talking about ISO standards and NIST framework. They talk about things like profitability, growth, innovation product development, price-to-earnings ratios. This publication, perhaps for the first time, attempts to put cybersecurity squarely within that business context." But while Business might be ready to listen, there remains a difficulty for IT/Security to speak in a language that it understands. What IT/Security is Doing IT/Security is taking a risk-based approach to defending systems; but it currently lacks the means to report the risk status to boards and internal business partners. “CISOs are measuring tactical things,” explains the Assessing IT Security Risks lead author, Bill Burns. “What metrics exist are events-driven: how much classified data was blocked from leaving the system; how many malware hits were stopped at the firewall or by the AV software. But there exists a huge disconnect between such activity-based metrics and rolling them up into ‘what is the impact of our security programs on the business’.” The problem, he suggests, is that there remains a tool-centric rather than risk-centric view of security—and the tools that are available rarely provide metrics that can be combined into an overall metrics-based company risk report suitable for delivery to the board. This leads to a failure of communication between IT/Security and Business—which is, says Burns, a major challenge for IT/Security. To a large degree this basic problem is a natural result of the security product market, which comprises a wide range of distinct point products. The natural desire to use a ‘best of breeds’ approach (that is, to use the best available solution for each separate risk) doesn’t lend itself to seamless security metrics. The extent of the problem can be seen in Figures 3 to 6, taken from the survey. The diversity of different products expected to be used in the next 3-5 years makes seamless and cohesive reporting across the whole security discipline difficult to achieve—and almost impossible in a format suitable to present to business management. This is unlikely to change within the next five years.
Metrics & Reporting 8 Figure 3: Survey Question: Which endpoint-targeted security controls will be a top- priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014 Figure 4: Survey Question: Which mobility / IoT security control will be most important to your company in the next 3-5 years? Source: Wisegate, June 2014
a Failure in Communication 9 Figure 5: Survey Question: Which of these Messaging, File/Doc Sharing controls will be a top priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014 Figure 6: Survey Question: Stack-rank these Infrastructure controls by which will be a top priority to you in the next 3-5 years. Source: Wisegate, June 2014
Metrics & Reporting 10 This volume of different products makes communicating strengths and weaknesses in the corporate security profile in relation to business impact a difficult proposition. “Although this sounds harsh,” comments Burns, “it results in a failure of the security teams to communicate in business terms, and for business people to understand security. There’s a business gap—and it’s one of the biggest challenges I see for Security.” The Danger in Poor Communication The two primary dangers of poor communications are: » A continuing disconnect between Business and Security, leading to underfunding and weak policy implementation » A Business concentration on the one set of industry-wide metrics already available: compliance checklists Many security teams already believe they suffer from the first, and many more will increasingly come up against the latter. “I think we are finally at the point, with so many large scale breaches,” explains Burns, “that Business is taking Security seriously. Boards are ready to listen if we can learn their language to speak to them. What they want to know is, ‘are we doing everything we should be doing; and are we doing what our peers are doing?’” It is that latter point that leads Business to concentrate on compliance-based security. If the only metrics available are the compliance regulations, then conforming strictly to those requirements serves two purposes: firstly it provides a defense against any possible ‘failure to prevent’ legal challenges; and secondly it provides a likely ‘peer comparison’ point. Most security professionals do not believe that conforming to a compliance checklist provides the best possible security. However, unless Security can develop its own metrics and reporting, Business will inevitably increasingly rely on compliance instead—possibly to detriment of real security. What is IT/Security Doing About this Lack of Communication? IT/Security readily acknowledges that communication is a problem. “People accept that this is a problem, and talk about it,” comments Burns. “But not one of the survey participants could say, ‘I cracked the nut—this is what you have to do to communicate successfully.’”
a Failure in Communication 11 It is a subject that frequently occurs in Wisegate roundtable discussions. For example, in a recent Wisegate Live Research call, one CISO with a large financial firm noted: “The higher you go, the more you need to be able to talk about business drivers in business language that business can understand. The thing that works best seems to be stories and analogies—they seem to be the best way to share information with the more senior individuals in your business.” —“What are the soft skills required for a career in IT and security?” Roundtable Talking, however, is not reporting, and stories are not metrics. The reality is that IT/Security mostly does little more than talk about the problem of metrics and reporting. What Should IT/Security Be Doing? The survey shows that IT/Security suffers from a lack of adequate metrics. This translates into poor communication between IT/Security and Business. In the short term this can be improved by IT/Security aggregating security point solutions to provide a seamless holistic risk rating; and then creating the metrics to demonstrate the impact of security on business. In the longer term, the problem provides an opportunity for security users and security vendors. As the move towards the adoption of security as a service (SaaS) solutions gathers pace, security teams can start to insist on the provision of usable metrics as part of the partner agreement.
Metrics & Reporting 12 PHONE 512.763.0555 EMAIL info@wisegateit.com www.wisegateit.com Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.

Recommended

Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
Chris Ross
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
Abhishek Sood
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
FireEye, Inc.
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
Kim Jensen
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseData security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
The Economist Media Businesses
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
Luke Farrell
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 

Recommended

Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
Chris Ross
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
Abhishek Sood
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
FireEye, Inc.
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
Kim Jensen
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseData security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
The Economist Media Businesses
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
Luke Farrell
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
Accenture Insurance
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksConstantin Cocioaba
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-StudyTam Nguyen
 
Prof m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalProf m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalSelectedPresentations
 
Research Paper
Research PaperResearch Paper
Research PaperBrian Kasha
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
Accenture Banking Security Index
Accenture Banking Security IndexAccenture Banking Security Index
Accenture Banking Security Index
accenture
 
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Citrix Online
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
IBM India Smarter Computing
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
Hiten Sethi
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive Level
Koen Maris
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALSteve Knapp
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
Andréanne Clarke
 
2015 IA survey - Protiviti
2015 IA survey - Protiviti2015 IA survey - Protiviti
2015 IA survey - Protiviti
Simone Luca Giargia
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
Tripwire
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
Jack Nichelson
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
jpubal
 

More Related Content

What's hot

SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
Accenture Insurance
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksConstantin Cocioaba
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-StudyTam Nguyen
 
Prof m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalProf m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalSelectedPresentations
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
Accenture Banking Security Index
Accenture Banking Security IndexAccenture Banking Security Index
Accenture Banking Security Index
accenture
 
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Citrix Online
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
IBM India Smarter Computing
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
Hiten Sethi
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive Level
Koen Maris
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALSteve Knapp
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
Andréanne Clarke
 
2015 IA survey - Protiviti
2015 IA survey - Protiviti2015 IA survey - Protiviti
2015 IA survey - Protiviti
Simone Luca Giargia
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 

What's hot (18)

SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security Risks
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study
 
Prof m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalProf m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - final
 
Research Paper
Research PaperResearch Paper
Research Paper
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
Accenture Banking Security Index
Accenture Banking Security IndexAccenture Banking Security Index
Accenture Banking Security Index
 
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
Business Continuity And Disaster Recovery Are Top IT Priorities For 2010 And ...
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive Level
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
 
2015 IA survey - Protiviti
2015 IA survey - Protiviti2015 IA survey - Protiviti
2015 IA survey - Protiviti
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
 

Viewers also liked

Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
Tripwire
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
Jack Nichelson
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
jpubal
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
Tripwire
 
Scorecards, Learning Metrics and Measurement Strategies
Scorecards, Learning Metrics and Measurement StrategiesScorecards, Learning Metrics and Measurement Strategies
Scorecards, Learning Metrics and Measurement StrategiesHuman Capital Media
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 

Viewers also liked (9)

Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
 
Scorecards, Learning Metrics and Measurement Strategies
Scorecards, Learning Metrics and Measurement StrategiesScorecards, Learning Metrics and Measurement Strategies
Scorecards, Learning Metrics and Measurement Strategies
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 

Similar to Metrics & Reporting - A Failure in Communication

Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
Livingstone Advisory
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdf
Humphrey Humphrey
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Cybersecurity report-vol-8
Cybersecurity report-vol-8Cybersecurity report-vol-8
Cybersecurity report-vol-8
Mohamed Abdelhakim
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metrics
Abhishek Sood
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
Happiest Minds Technologies
 
Websense
WebsenseWebsense
Websense
CMR WORLD TECH
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingTory Quinton
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
jamiejohngianna
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
Bradley Susser
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...
Niren Thanky
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
DFLABS SRL
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
International Federation of Accountants
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
David Sweigert
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldnooralmousa
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
Marko Suswanto
 

Similar to Metrics & Reporting - A Failure in Communication (20)

Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdf
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Cybersecurity report-vol-8
Cybersecurity report-vol-8Cybersecurity report-vol-8
Cybersecurity report-vol-8
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metrics
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and Eskins
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
 
Websense
WebsenseWebsense
Websense
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge Training
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
01-Build-an-IT-Risk-Management-Program--Phases-1-3.pptx
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 

More from Chris Ross

Malware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatMalware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest Threat
Chris Ross
 
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Chris Ross
 
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
Chris Ross
 
Hello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft SkillsHello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft Skills
Chris Ross
 
Maximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next StepsMaximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next Steps
Chris Ross
 
What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401
Chris Ross
 
5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should Know5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should Know
Chris Ross
 

More from Chris Ross (7)

Malware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatMalware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest Threat
 
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
 
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
 
Hello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft SkillsHello, I Must Be Going - Hard Facts on Soft Skills
Hello, I Must Be Going - Hard Facts on Soft Skills
 
Maximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next StepsMaximizing Your IT Career Needed Skills and Next Steps
Maximizing Your IT Career Needed Skills and Next Steps
 
What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401What does Information Security have in common with Eastern Air Lines Flight 401
What does Information Security have in common with Eastern Air Lines Flight 401
 
5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should Know5 Tips Every Job-Hunting IT Pro Should Know
5 Tips Every Job-Hunting IT Pro Should Know
 

Recently uploaded

Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 

Recently uploaded (20)

Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 

Metrics & Reporting - A Failure in Communication

  • 1. 22
  • 2. Metrics & Reporting 2 CONTENTS Metrics and Reporting ............................................................................................................. 3   The Problem Measured........................................................................................................... 4   Is This Important? ................................................................................................................... 5   ‘Communication is What the Receiver Does’ .......................................................................... 6   What IT/Security is Doing........................................................................................................ 7   The Danger in Poor Communication..................................................................................... 10   What is IT/Security Doing About this Lack of Communication? ............................................ 10   What Should IT/Security Be Doing?...................................................................................... 11   © 2014 Wisegate. All Rights Reserved. All information in this document is the property of Wisegate. This publication may not be reproduced or distributed in any form without Wisegate's prior written permission. There’s a good chance we’ll let you use it, but still: it’s nice to ask first.
  • 3. a Failure in Communication 3 In June of 2014, Wisegate conducted a member-driven research initiative designed to assess the current state of security risks and controls in business today. Assessing IT Security Risks addresses many of the top takeaways from this survey. This document is the first in a series of reports designed to look more closely at four specific issues highlighted by that survey. » Metrics and reporting » Malware and data breaches » Data-centric security » Automation and orchestration Metrics and Reporting This document might have just as easily been titled, ‘The Lack of Metrics’. It is highlighted in a simple conclusion reached in Assessing IT Security Risks: “Overall, [security] teams were optimistic but not overwhelmingly confident.”
  • 4. Metrics & Reporting 4 On the surface, this statement appears to hide a contradiction: how can someone be genuinely optimistic without being simultaneously confident? That apparent contradiction hides a potentially widespread problem in information security: CISOs are always improving their company security; there is little ability, however, to measure that success (or indeed, lack of it). Without having the metrics of success or failure, security teams can be optimistic in what they are doing—but cannot ultimately be confident in its effect. This problem is then compounded. Metrics form the basis of business-level reporting, and without those metrics IT struggles to effectively communicate security issues to Business. The Problem Measured Participants in this survey were asked, ‘do you have metrics in place to track your top three risks?’ (see Figure 1). Overall, 50% do not have metrics. …the real problem with security risk management in the enterprise isn’t of confidence—it’s of measurement; survey respondents don’t really have a good way of indicating the effectiveness (or lack thereof) of existing programs. —Assessing and Managing IT Security Risks Figure 1: Survey Question: Do you have a metric to measure the risk in your top three areas of concerns? Source: Wisegate June 2014
  • 5. a Failure in Communication 5 The problem is that there is a general acceptance that all three top risks are growing—more than 80% of participants believe that major risks are increasing in their industry (see Figure 2). [Note: These three ‘top risks’ are non-specific—they are whatever the participant considered to be his or her personal top three risks. Overall, the top three risks are malware, data breaches and outsider threat.] Figure 2: Survey Question: Which risks are growing for your specific company and industry? Source: Wisegate June 2014 What this means, in effect, is that IT cannot accurately communicate an increasing security risk to Business; and Business cannot accurately understand that security risk and its possible impact on the business. Is This Important? This lack of communication is very important, for three particular reasons: » Real security cannot be achieved without full Business buy-in. » Business is likely to become suddenly very keen on understanding security following the recent prosecution of FedEx in what can be seen as an extension of the ‘failure to prevent’ theory. “This bodes ill not only for corporations that fail to prevent criminal activity, but for corporate compliance officers whose programs,
  • 6. Metrics & Reporting 6 when scrutinized under the glare of 20-20 hindsight, may be found deficient.”1 It is possible that within a relatively short period, individual board members could be held legally liable for security failures. » Boards are being urged by the National Association of Corporate Directors to be more proactive in information security. The reality is that possibly for the first time, corporate boardrooms are taking cyber security seriously. The continuous flow of news of major security breaches in major companies is having an effect. Boards are asking: » How does our security stack up? » How do we compare with other companies in our sector? Without adequate security metrics to answer those questions in the language that Business understands, IT/Security will miss a major opportunity. ‘Communication is What the Receiver Does’ It is a tenet of communication that you have to listen. There are signs that Business is ready to listen. In July 2014 the National Association of Corporate Directors published a new handbook for its members: Cyber-Risk Oversight2 . Its advice to directors is organized around five key principles: 1. Directors need to understand and approach cyber security as an enterprise-wide risk management issue, not just an IT issue. 2. Directors should understand the legal implications of cyber-risks as they relate to their company's specific circumstances. 3. Boards should have adequate access to cyber security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. 4. Directors should set the expectation that management will establish an enterprise- wide, cyber-risk management framework with adequate staffing and budget. 5. Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach. 1 The Rise of 'Failure to Prevent' Crimes and CCO Liability; New York Law Journal (27 October 2014): http://newyorklawjournal.com/id=1202674374593 2 Cyber-Risk Oversight Handbook (free to NACD members): http://www.nacdonline.org/cyber
  • 7. a Failure in Communication 7 That last point highlights the need for discussion between IT/Security and the board. When the handbook was first published, Internet Security Alliance President Larry Clinton commented, "Most business leaders do not spend a lot of time talking about ISO standards and NIST framework. They talk about things like profitability, growth, innovation product development, price-to-earnings ratios. This publication, perhaps for the first time, attempts to put cybersecurity squarely within that business context." But while Business might be ready to listen, there remains a difficulty for IT/Security to speak in a language that it understands. What IT/Security is Doing IT/Security is taking a risk-based approach to defending systems; but it currently lacks the means to report the risk status to boards and internal business partners. “CISOs are measuring tactical things,” explains the Assessing IT Security Risks lead author, Bill Burns. “What metrics exist are events-driven: how much classified data was blocked from leaving the system; how many malware hits were stopped at the firewall or by the AV software. But there exists a huge disconnect between such activity-based metrics and rolling them up into ‘what is the impact of our security programs on the business’.” The problem, he suggests, is that there remains a tool-centric rather than risk-centric view of security—and the tools that are available rarely provide metrics that can be combined into an overall metrics-based company risk report suitable for delivery to the board. This leads to a failure of communication between IT/Security and Business—which is, says Burns, a major challenge for IT/Security. To a large degree this basic problem is a natural result of the security product market, which comprises a wide range of distinct point products. The natural desire to use a ‘best of breeds’ approach (that is, to use the best available solution for each separate risk) doesn’t lend itself to seamless security metrics. The extent of the problem can be seen in Figures 3 to 6, taken from the survey. The diversity of different products expected to be used in the next 3-5 years makes seamless and cohesive reporting across the whole security discipline difficult to achieve—and almost impossible in a format suitable to present to business management. This is unlikely to change within the next five years.
  • 8. Metrics & Reporting 8 Figure 3: Survey Question: Which endpoint-targeted security controls will be a top- priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014 Figure 4: Survey Question: Which mobility / IoT security control will be most important to your company in the next 3-5 years? Source: Wisegate, June 2014
  • 9. a Failure in Communication 9 Figure 5: Survey Question: Which of these Messaging, File/Doc Sharing controls will be a top priority to you in the next 3-5 years (multiple selections allowed). Source: Wisegate, June 2014 Figure 6: Survey Question: Stack-rank these Infrastructure controls by which will be a top priority to you in the next 3-5 years. Source: Wisegate, June 2014
  • 10. Metrics & Reporting 10 This volume of different products makes communicating strengths and weaknesses in the corporate security profile in relation to business impact a difficult proposition. “Although this sounds harsh,” comments Burns, “it results in a failure of the security teams to communicate in business terms, and for business people to understand security. There’s a business gap—and it’s one of the biggest challenges I see for Security.” The Danger in Poor Communication The two primary dangers of poor communications are: » A continuing disconnect between Business and Security, leading to underfunding and weak policy implementation » A Business concentration on the one set of industry-wide metrics already available: compliance checklists Many security teams already believe they suffer from the first, and many more will increasingly come up against the latter. “I think we are finally at the point, with so many large scale breaches,” explains Burns, “that Business is taking Security seriously. Boards are ready to listen if we can learn their language to speak to them. What they want to know is, ‘are we doing everything we should be doing; and are we doing what our peers are doing?’” It is that latter point that leads Business to concentrate on compliance-based security. If the only metrics available are the compliance regulations, then conforming strictly to those requirements serves two purposes: firstly it provides a defense against any possible ‘failure to prevent’ legal challenges; and secondly it provides a likely ‘peer comparison’ point. Most security professionals do not believe that conforming to a compliance checklist provides the best possible security. However, unless Security can develop its own metrics and reporting, Business will inevitably increasingly rely on compliance instead—possibly to detriment of real security. What is IT/Security Doing About this Lack of Communication? IT/Security readily acknowledges that communication is a problem. “People accept that this is a problem, and talk about it,” comments Burns. “But not one of the survey participants could say, ‘I cracked the nut—this is what you have to do to communicate successfully.’”
  • 11. a Failure in Communication 11 It is a subject that frequently occurs in Wisegate roundtable discussions. For example, in a recent Wisegate Live Research call, one CISO with a large financial firm noted: “The higher you go, the more you need to be able to talk about business drivers in business language that business can understand. The thing that works best seems to be stories and analogies—they seem to be the best way to share information with the more senior individuals in your business.” —“What are the soft skills required for a career in IT and security?” Roundtable Talking, however, is not reporting, and stories are not metrics. The reality is that IT/Security mostly does little more than talk about the problem of metrics and reporting. What Should IT/Security Be Doing? The survey shows that IT/Security suffers from a lack of adequate metrics. This translates into poor communication between IT/Security and Business. In the short term this can be improved by IT/Security aggregating security point solutions to provide a seamless holistic risk rating; and then creating the metrics to demonstrate the impact of security on business. In the longer term, the problem provides an opportunity for security users and security vendors. As the move towards the adoption of security as a service (SaaS) solutions gathers pace, security teams can start to insist on the provision of usable metrics as part of the partner agreement.
  • 12. Metrics & Reporting 12 PHONE 512.763.0555 EMAIL info@wisegateit.com www.wisegateit.com Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership.