Making Metrics Stick for Threat Management
(This is the second installment in a two-part series on the benefits of leveraging unified security metrics to improve responsiveness and reduce vulnerabilities across the enterprise. The first installment, on the metrics themselves, can be read here.)
Security risk represents uncertainty, and potentially even danger. Neither of these is good for an organization’s overall health. Over the past year, the Infosec Team in Cisco’s Threat Response, Intelligence and Development group launched a Unified Security Metrics (USM) program as a way to make sense of volumes of network data and reduce security risk. Even at this relatively early stage, we have identified four clear indicators that the USM program is doing the right things to improve Cisco’s security posture across the organization. These indicators are applicable to anyone undertaking a security metrics journey.
1. Everyone Is Responsible for Security
Information security is everyone’s responsibility. It relies on expertise and cooperation from teams across the company. When everyone shares accountability for security, each team member becomes an agent of positive change. Part of our team’s success has come from the creation of two newly defined roles: Security Service Primes, who are the “Chief Security Officers” of their respective IT service area (managers), and Partner Security Architects, who are the Subject Matter Experts (technical leads). Neither is part of the InfoSec organization, but they’re fully trained on security and have broad responsibility to govern security. Designating this virtual team of trusted advisors throughout IT helps the InfoSec team scale and embed security into the IT organization’s DNA.
2. Risk Management Frameworks and Reporting
In a fast-changing IT environment that includes cloud, virtualization and mobile computing, it is important to have a well-defined library of common controls within IT to manage risk. Cisco’s IT Risk Management (ITRM) uses a universal framework to manage risk globally in the areas of resiliency, Sarbanes-Oxley (SOX) compliance, Governance Risks and Controls (GRC) audits, ISO9001, Cloud and Application Security Providers and security.
Risk management reporting dashboards found within ITRM provide tremendous insight and visibility at both the service and application portfolio level. By incorporating security metrics into this ITRM framework, IT functions and service areas can make better risk-aligned investment decisions. The security metrics also help to increase efficiency and effectiveness in satisfying regulations, audits and risk compliance requirements.
3. Transparent Reporting
For IT service owners, transparent reporting systems are vital to making corrective actions in a timely manner. Quarterly reporting systems provide detailed security analysis, such as vulnerability and on-time closure metrics at the working, management, and executive levels to help these groups drive remediation efforts, assess risk and identify trends.
This transparent and inclusive approach has increased program adoption among IT service areas and, unexpectedly, created a sense of competition among different IT teams to drive success toward improved performance.
4. CIO Involvement
Most CIOs require getting a “big picture” view of business risk before they make key decisions. This includes what is going on at the IT enterprise level. CIO decisions can affect the organization’s intellectual property, marketing, legal, human resources, reputation management, disaster recovery planning and even finance activities.
The USM program at Cisco is part of a broader CIO initiative called Pervasive Security Accelerator (PSA). Security metrics obtained from the quarterly ITRM dashboard give the CIO a consistent picture of Cisco’s security posture from disparate IT systems in a consolidated report and enable prompt, responsive interaction for remediation efforts between IT service owners and the CIO. Ultimately, this leads to improved security performance.
Icebergs pose significant risk because only 10 percent can be seen above the surface, while more than 90 percent remain hidden below. Similarly, metrics and numbers on a chart represent only the tip of an iceberg. Rich, meaningful and actionable data, when leveraged successfully, can drive great results and outcomes. As the USM program embarked on uncharted waters, the journey taught us valuable lessons along the way.
Teamwork Fosters Success
Any ambitious undertaking needs a strong team. For the USM program, partnerships are a key component of success. These include Service Security Primes and Partner Security Architects, who are a virtual team of trusted security advisors. They, in cooperation with IT service owners, risk management groups, and decision makers (including the CIO), work in concert with InfoSec to secure and protect Cisco. Because of InfoSec’s tight alignment with these groups, it can more effectively manage security investments, actions, and processes globally. This enables advance metrics beyond basic security hygiene to more sophisticated posture assessments (i.e. risk determination) within IT and other outside organizations.
Start Small and Grow Organically
Starting small enables you to monitor, measure and adjust your security metrics program as you go. This measured pace allows for standardization of existing program processes and enables you to create IT service owner “champions” that can evangelize your security program for broader adoption and long-term sustainability.
Train for Success
Training is an essential aspect of any new endeavor. Cisco uses formalized, ongoing programs to train employees, such as the Security Knowledge Empowerment (SKE) program. The program expands security knowledge across the organization in curricula ranging from security basics to more in-depth classroom work, mentoring and group projects. When combined with Service Security Primes and Partner Security Architects, the SKE program provides a potent conduit to expand security DNA throughout the company.
Trust Creates Credibility
Keeping the USM process open, transparent, and non-punitive is key in building trust and credibility with multiple stakeholders. They can count on InfoSec to consistently deliver reliable, unbiased metrics. Ample time is also provided for broad internal team reviews and remediation efforts, along with clear communication for next steps. As a result of these collective activities, shared responsibility and accountability become the norm, fueling early program adoption among IT service areas and improved security performance.
Stay in the (Flow) Loop
Communication process flow loops are essential for maintaining consistent security metrics. Establish a 13-week, quarterly timeline so that IT service owners know when they can expect their security data, where they can find the data (ITRM dashboards, portal sites), and how to interpret the data (reports). This enables users to access vital information in real time, and creates better synergy and dialogue between groups to remediate any security issues found.
To Solve Business Problems, Don’t Over-Engineer
It isn’t rocket science, but it is important for IT organizations to regularly track risk metrics. Begin by pulling data from IT system logs and dashboards. InfoSec narrowed their data sources from 30 to five and, in doing so, drove security process improvement behaviors and action within IT. The key is determining what you want to measure and what outcomes you want to achieve.
The Unified Security Metrics program was designed to solve today’s IT infrastructure security challenges. To do so, our team set out to measure the security posture of its IT services over time, promoting continuous improvement and providing a feedback mechanism to IT service owners and leaders. Increasing our visibility into the network provides greater intelligence on where vulnerabilities are in critical systems, which we use to improve security across the enterprise. The result is a program where actionable metrics can solve real business problems and transform an organization.