In the 80s, when the organization started buying computers, buying networks, and finding infrastructure, companies recognized the importance of having a reliable resilient infrastructure, so they created an information officer. And in the 80s, they were buried under operations.
Executives quickly realized that operations
What is the metric of CIOs? It’s uptime availability. Five nines
Based on many of the recent breaches we have learned that putting security under CIOs do not work. The CIO has a completely different function than a chief security officer. It becomes a communication block where the executives are not getting the information that they need. The CIO was getting it before that. But it’s time to give up the territory.
Security is a different function. It’s different than uptime availability. Those two are sometimes adverse. You could not have one person responsible for both because that’s a CEO’s decision, not the CIO’s. The decision between uptime availability and security should be made in the boardroom – not by an independent person.
The next thing we need to do is come up with the five lines of security. We need a metric that we can use to report to security. So we now need to go in and figure out what the five lines are. Now I will be honest with you I have put a lot of energy and effort into this. I do not think my answer is ready, but I don’t have anything better.
And I’ll tell you right now, it’s a lot better than the default metric that you have today. The default
Whenever a major breach occurs basically whoever’s responsible for security loses their job because the metric that executives were using was “no breach equals security” and “breach means failure.” Unfortunately, we’re all going to have a breach. So if that’s our metric, you need to update your resume.
The better metric is “Attempted Attacks.” I’m not saying it’s perfect but here’s the rule – you’re not allowed to say my metric is bad unless you propose something better.
Here’s what I like about “Attempted Attacks” – it’s a positive metric. It’s showing what you’re doing.
One of the metrics I hate is “Vulnerability Data” – it’s a negative metric. It’s where you go to your executives and say, “Last quarter we have 300 vulnerabilities.” Then you come back and say, “This quarter we have 280 voter numbers.” And then next quarter you say, “We have 340 vulnerabilities.” And so on. What are you doing? You are basically going to your executives every quarter and saying, “Look how much we suck.” If I was an executive, after three or four quarters what would I be thinking, “What’s my security team doing?”
We need a positive metric. “Attempted Attacks” is a positive metric.
That starts to give us an estimate of the number of attempted attacks that are occurring against our organization. So at least we have the starting point for a metric that now we can give to the executives. The feedback I’ve heard from my own clients is “Finally security is stepping up and defining a communication metrics that we can understand.”
For more cyber security tips, keep checking out my blogs or follow me on Facebook, Twitter, or Linked In. For your own company’s security assessment or any other questions or concerns, reach out to me at secure-anchor.com/contact.