The Cybersecurity Cost Center Problem
One of the most challenging aspects of working in cybersecurity is demonstrating value. Despite the breaches that dominate the news and the headlines surrounding ransomware wreaking havoc on organizations each day, the fact remains that for the vast majority, the cybersecurity department is a cost center. Business leaders do not need to understand the deeply technical aspects of the technology they use, simply the cost benefit of it. For this reason, in the industry we talk in terms of risk. Risk is the shared language between cybersecurity and the business. Risk is something that businesses understand well and is a guiding principle in decision making. We know that cybersecurity programs reduce the risk of breaches, but the question is by how much and what is the cost associated. Which leads me to the question: Is there such a thing as too much security? Well, quite frankly yes there is... The security guy inside of me is screaming “Wait no… we keep you safe, what about the data we’re charged to protect? What about the company’s reputation?”
We need to understand that most businesses do not exist to provide cyber security, but rather goods or services and more to the point, to make money. In order to make informed business decisions around an appropriate level of security we need data. That data is derived from cybersecurity metrics.
Gather the Numbers
Where do you turn when you need to generate metrics surrounding cyber security? You will want to look both outward (industry-wide statistics) and inward (internal statistics).
Industry-wide statistics come from a lot of different sources for example the Ponemon Institute does an annual study related to the cost of data breaches (https://www.ibm.com/security/data-breach), which has a lot of great information in it. Verizon also releases an annual study of trends in data breaches known as the Verizon Data Breach Investigations Report (DBIR) (https://enterprise.verizon.com/resources/reports/dbir/), which breaks down data breaches by industry, attack vectors, and vulnerabilities. There are also industry-specific publications that can be referenced such as the summaries of healthcare data breaches published on the Department of Health and Human Services Office for Civil Rights website (https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf). These can be great tools to understand potential impact, threats, likelihood, and overall cost associated with real-world incidents.
Internal statistics are arguably even more important than industry-wide because they are specially focused on the risks to your organization in particular. There are many ways to generate internal cybersecurity metrics, one such way is to measure incident response. Your incident response plan and procedures should include the steps to document the incident. Some organizations use IT ticketing systems as a means to record efforts and track cybersecurity incidents throughout their life cycle. You will want to record data such as:
- Time the incident occurred
- Time the incident was detected
- Response start time
- Response end time
- The incident responder(s)
- Who or what technology reported/detected the incident
- Incident category
- Whether data was stolen (if so the data’s classification and volume)
- Incident outcome
This will allow you to provide the data necessary to create the statistics such as:
- Mean Time-to-Detect (MTTD) – average time it takes to detect an incident has occurred
- Mean Time-to-Respond (MTTR) – average time it takes to respond to an incident once detected
- Number of incidents by category
- Number of incidents by classification of data stolen
- Number of incidents by volume of data stolen
- Number of incidents by responder(s)
- Number of incidents by detection mechanism
You can also collect metrics on the effectiveness of your security awareness programs:
- Number of participants
- Average score of course exams
- % of clicks on security awareness phishing campaigns
- % of users reporting emails during security awareness phishing campaigns
Your vulnerability management program is another excellent source of metrics:
- Vulnerabilities by severity (low, medium, high, critical)
- Vulnerabilities by data/system owner
- Vulnerabilities age – how long from detection to remediation
- Vulnerabilities by type (network, operating system, application, configuration, etc.)
Measure Success
Gathering this data at first will be challenging, however most of this data is simple to automate within your ticketing system, vulnerability scanner, phishing and user awareness platform, etc. Once the hard work is done upfront, we can determine:
- How to evaluate the Incident Response (IR) team based on their response times
- Who the hardest working IR team members are based on how many incidents they work in a given period
- How well our detection mechanisms are working based how long it takes to detect incidents
- When a detection mechanism fails if we detect the incident further down the kill chain
- Impact of specific incident categories based on data theft and volume
- The effectiveness of your cybersecurity awareness program by watching the trends of users’ scores and % of users that report security awareness phishing campaigns
- Which system/data owners are security rock stars and which need some help based on their vulnerability patching and configuration data
- The types of vulnerabilities in our systems (do we need better patching, network segregation, or web application security)
Analyzing the data from these security metrics creates actionable intelligence that is specific to your organization. Armed with this data we can then better define the risks and the efforts of the cybersecurity department to reduce those risks. Collecting and analyzing this data will allow you to focus your resources on the projects, the technology, and people that provide the most value to the organization.
Inform Spending
When going to the business to ask for resources, time, money, or people we ideally want to communicate to them in dollars. Security metrics can drive security leadership to spend the available resources on the things that provide the most bang for the buck. When you go to ask for the newest email security gateway complete with sandboxing, threat feeds, and all the bells and whistles, provide evidence showing email phishing as the number one attack vector faced by your organization. What about staffing? If you can show the mean time to response is not aligned with the industry average, it could be a technology, process, or a staffing problem. These can all be demonstrated with the appropriate metrics informing resource-spending decisions. Perhaps you have legacy technology in place, and it has become a liability to your organization. Showing vulnerability statistics may very well help the business understand the risk (and hidden costs) associated with keeping it around.
As cybersecurity matures (we are still a relatively new discipline) we must try to tighten the integration with our business counterparts. Security metrics help merge the business goals with security needs ultimately providing a more effective and efficient cybersecurity program.