Tracking Performance of Software Security Assurance

Wednesday, October 19, 2011

Article by Rafal Los

Tracking Performance of Software Security Assurance - 5 Essential KPIs

Every day, technology organizations amass terabytes, even petabytes, of data from various sources about the performance of their technology. Information security teams are no different in their obsession with gathering security data. There is a vast difference between data, metrics and key performance indicators (KPIs).

While information security has been gathering volumes of vulnerability data and consolidating that data into metrics for almost two decades, the inability to provide business-centric context to those metrics alienates business leaders from the knowledge they need to make informed IT risk decisions. KPIs take information security metrics to the next level, providing critical business alignment and bridging the language barrier between technology and business.

Making the leap from data points to contextualized, business-oriented KPIs is not a trivial endeavor. Many mature IT organizations struggle with how to make the data they are collecting work to help achieve their goals. A pivotal moment takes place when the Information Security organization comes to grips with the fact that the business doesn’t always relate to its metrics.

IT security must take great care to dialogue with the business to ensure transparency and clear understanding of business goals so that security’s “wins” are properly expressed through KPIs that serve both technology and the business risk strategy.

IT security teams potentially collect terabytes of data when it comes to application security, at the center of which are vulnerability numbers. Security teams showcase the number of critical security vulnerabilities that they have uncovered and ultimately remediated.

While an application security test may produce tens or maybe hundreds of “critical” security vulnerabilities, what do these issues mean to the business? Why and which critical vulnerabilities require action and spend? More important, how can spending business resources on remediating these issues or implementing compensating controls create a positive business impact? These are the KPIs that need to be measured by IT security.

While the IT security team may tend to focus on the number of critical vulnerabilities, the business thinks in terms of total risk. When analyzed carefully, nearly every business application can have critical security issues that can lead to some negative business impact.

Business resources, including capital, human talent, and time are not infinite and must be allocated carefully to address truly business-critical issues, but how can an IT department tell if this is being done? Today’s metrics simply do not give us the answer, and leave IT security managers struggling to provide business context to their security programs.

The secret to making key business decisions is translating the volumes of information security-related data into language the business can understand. The same goes for providing hard evidence on the success or failure of a Software Security Assurance (SSA) program.

This paper reveals the five SSA program KPIs, their methods of collection, their meaning and importance to the organization, and how to present them in a way that demonstrates measurable success of your security strategy. Combining knowledge and experience in building complex, successful SSA programs, this paper sets the groundwork to advance beyond simple metrics.

See Infosec Island's recent video interview with Rafa Los HERE

Download the rest of this white paper here:

Enterprise Security Application Security Methodologies SSA metrics Software Security Assurance Remediation key performance indicators
Post Rating I Like this!