Summary: RedSeal surveyed nearly 800 IT security professionals at the RSA Security Conference regarding security data overload, visibility into IT risk and perceptions around metrics. (Full report here)
Findings: Results indicated people are drowning in security data (73 percent), lack risk visibility (54 percent) and feel metrics could help (81 percent). Are metrics overhyped? Most (69 percent) said no.
Supposition: While every organization seeks highly individual indicators of performance, based on unique demands/architecture, they first need a set of measurements of basic controls to build on; RedSeal provides just such figures.
- – -
We’ve all seen the infomercial, after your favorite episodes of “The Office” or “Seinfeld” give way to the late night carnival barkers’ world of the ShamWow and other such miracle inventions.
It’s the groundbreaking Sleep Number Bed, offering a deeper night’s sleep than your $800 mattress. Can’t you see the smiling wife bouncing on her side while a glass of wine sits un-spilled on the other?
Despite any trickery, the sleep number is a novel idea as certainly each of us has a unique comfort level. The same concept is applicable to the cars we drive (performance vs. economy), the food we eat (sugary/spicy), and just anything else we select.
When it comes to those numbers most useful in measuring IT security effectiveness – aka IT security metrics – most practitioners agree that we could use some better indicators, but that these numbers must ultimately be tailored to suit individual requirements. Just like that perfect sleep number, each organization’s network anatomy dictates a different measurement of its comfort zone, influenced by their business and network topology.
In 2007 when former Forrester Research Analyst Andrew Jaquith published his book “Security Metrics: Replacing Fear, Uncertainty and Doubt” the topic ran hot but eventually faded after people grew tired of debating why metrics were critical or which stats to use, and as few organizations adopted the concept as a management strategy.
The metrics movement had seemingly been overtaken by people’s view that trying to measure a fuzzy concept such as IT security and risk management effectiveness in such a fashion wasn’t practical. But contrary to the opinion that its moment had passed, interest in security metrics actually remains strong.
RSA Survey: Sizing Up the Numbers
As proven by the report we published today with Dimensional, surveying attendees of the RSA Conference about metrics, results illustrated strong demand. Among the findings (full report is here):
-81 percent said products that offer improved metrics would increase security effectiveness
-69 percent said that an effort to produce improved security metrics was worthwhile
-61 percent said they lack effective metrics today or don’t use them at all
There seems to be some conclusiveness there. To illustrate the need further, we also found that:
-73 percent said today’s data volume makes it hard to filter, analyze, and assess changes in risk
-54 percent said they either can’t maintain top-down visibility into risk or don’t know if they can
- Only 11 percent said that their network security infrastructure was under control all the time
The last figure is likely a result of people being honest and admitting that no one is completely sure how well IT security is working 24×7. But, clearly there’s still a desire for better security metrics today.
You Can’t Use the Hand to Cut a Tomato
The Ginsu blade is one of the best infomercial products ever. You may be able to use your hand to chop wood if you know karate, but, there’s no way you can use it to cut a tomato. This is an applicable point.
The problem with “security metrics 1.0” was that many people were trying to find performance indicators that could be applied within any organization, or across many organizations. As noted above, like a sleep number, every CISO has unique concerns, making most generic measurements impractical. What you need, we’d argue, are a set of basic security metrics that allow you to build a baseline and then develop the individual stats you ultimately need.
At RedSeal often invoke the Verizon DBIR stat that most attacks could be prevented by more consistent management of simple controls. This year it was 97 percent, last year 96 percent; it just keeps going up. Organizations clearly need a better way to test the effectiveness of such controls.
Not surprisingly, when we asked people for their top priorities in our survey, we didn’t hear that it was stopping hactivism, APTs or some other new threat. Improving data protection, increasing visibility, bolstering network security and speeding vulnerability remediation, along with strengthening endpoint defenses, were the leading priorities.
Over the last year, RedSeal has increasingly tabbed security metrics – those that highlight unwanted access to critical assets, exposed vulnerabilities, and monitor attack surface – as the most effective baseline indicators to measure fundamental elements of security effectiveness.
We did a well-received webcast with Securosis analyst Mike Rothman on the topic, our CTO Mike Lloyd drew rave reviews for his “Security Metrics That Don’t Suck” talk at the SecurityBSidesSF show, and the feedback has been resoundingly consistent in support of these RSA survey results.
IT security practitioners are desperate to get their hands on smarter metrics and automation is seen as a manner of filtering through the data to find them. A product that provides such measurements and empowers creation of more detailed, sleep number type stats is something many people currently seek.
RedSeal is just such a product. And for only three payments of $19.99 on top of licensing, if you buy today we’ll throw in a Veg-O-Matic so that after a slumber, you start the day with fresh squeezed juice.
OK, well maybe not on the juicer, but RedSeal can help you isolate, monitor and trend metrics that help you to improve protection, maintain continuous compliance and lower risk, and more efficiently allocate resources.