I am positively thrilled that my most popular entry so far is the one about incident response... This means that we must be coming to terms with the fact that data breaches are a statistical certainty and how we handle them is what matters.
Good news: this means we’ve got the attention we need. Now we need to convert this attention into the investment it requires.External statistics may give you the hook but, as abundant as they are, do not however make it relevant to your business when trying to secure the infosec investment you require...
Yes, you’ve guessed it: it’s all about metrics... But here’s the problem: the traditional way of measuring infosec doesn’t mean much to the business. Admittedly, I am a firm advocate of measuring everything and have always followed the principle: if in doubt, measure it.
This is because redundant measures always expose themselves very rapidly: they either don’t help you run your shop, or nobody around you is interested in them. So if you still have some of these, your job is to scrap them (be brave!) because it will save some time and resources to apply elsewhere.
As an example, what is the intrinsic value of measuring the number of attacks on your environment? It’s mildly interesting at best and irrelevant at worst. Going back to my old ditty, “Don’t spend £100 protecting a £1 asset”.
And we’re back to it again, the most important tool in your business armoury, as an infosec professional, is your asset register. And I don’t mean just servers or databases, I mean the repository of what your organisation cares about in terms of people, processes and technology.
I’ve explained in an earlier post that an easy way to get started is to engage with your Business Continuity Planning and Disaster Recovery units. Their purpose is to ensure your business continues running in the event of a disruption, so they’ll have a readymade list of key assets.
The next thing to do is to get close to your Operational Risk unit. Their Risk Register will be scrutinised regularly. Make it your aim to understand the risk register: your success will depend on your ability to understand the business risks and to find ways of using your “infosec armoury” to address some of those risks.
Put simply, you need to find the operational risk items that you can identify with: as they will have a loss value attached to them, anything you can do to help reduce that potential loss plays in your favour.
Examples can be:
- unauthorised transactions or processing: authentication management, single sign on, sandboxing, etc. will all play a role in reducing this type of risk. Operational risk provisions will be made in this area to cater for potential loss value. Undesirable events will be monitored. Therefore impact of infosec technology deployment on both provisions (future) and losses (actual) can be measured over time.
- system degradation: like the first example, losses in this category (e.g. loss of potential trades due to DDoS attack) are easily quantifiable. The deployment of security technologies and processes in this space (e.g. malware protection, perimeter protection, etc.) is therefore easily allocated.
- fraud: whilst this can mean many things to many people, fraud will manifest itself in any business and will always have a financial value, actual and projected. For example, online shops may be subject to credit card fraud and charge backs. Deployment of technologies such as 3D Secure and other authentication technologies will have a direct beneficial impact on fraud losses. Another example can be Intellectual Property theft, where DLP technologies/processes can be deployed to great effect, combined with the rest of the infosec armoury (e.g. authentication). Measuring the RoI of infosec technology and processes in relation to fraud reduction is an easy task.
The above are only three examples from many that exist in the real world and it would be an interesting exercise to try and compile a longer list (if you want to offer some more examples, you know where to find me and help is always appreciated!).
Evidently, infosec has to be run like a business if you want to solve the infosec investment equation. Successful metrics will have one thing in common: show me the money...
Until next time...
Cross-posted from neirajones