I can’t believe my last
post was on 4th March! I am positively thrilled that my most
popular entry so far is the one about incident
response... This means that we must be coming to terms with the fact that
data breaches are a statistical certainty and how we handle them is what
matters. Good news: this means we’ve got the attention we need. Now we need to
convert this attention into the investment it requires. External statistics may
give you the hook but, as abundant as they are, do not however make it relevant
to your business when trying to secure the infosec investment you require...
Yes, you’ve guessed it: it’s all about metrics... But here’s
the problem: the traditional way of measuring infosec doesn’t mean much to the
business. Admittedly, I am a firm advocate of measuring everything and have
always followed the principle: if in
doubt, measure it. – this is because redundant measures always expose
themselves very rapidly: they either don’t help you run your shop, or nobody
around you is interested in them. So if you still have some of these, your job
is to scrap them (be brave!) because it will save some time and resources to
apply elsewhere. As an example, what is
the intrinsic value of measuring the number of attacks on your environment?
It’s mildly interesting at best and irrelevant at worst. Going back to my old
ditty, “Don’t spend £100 protecting a £1 asset”.
And we’re back to it again, the most important
tool in your business armoury, as an infosec professional, is your asset register. And I don’t mean just
servers or databases, I mean the repository of what your organisation cares
about in terms of people, processes and technology. I’ve explained in an
earlier post that an easy way to get started is to engage with your Business Continuity Planning and Disaster Recovery units. Their purpose
is to ensure your business continues running in the event of a disruption, so
they’ll have a readymade list of key
assets.
The next thing to do is to get close to
your Operational Risk unit. Their Risk Register will be scrutinised
regularly. Make it your aim to understand the risk register: your success will
depend on your ability to understand the business risks and to find ways of
using your “infosec armoury” to address some of those risks. Put simply, you
need to find the operational risk items that you can identify with: as they
will have a loss value attached to
them, anything you can do to help reduce that potential loss plays in your
favour. Examples can be:
- unauthorised transactions or processing: authentication management, single sign on, sandboxing, etc. will all play a role in reducing this type of risk. Operational risk provisions will be made in this area to cater for potential loss value. Undesirable events will be monitored. Therefore impact of infosec technology deployment on both provisions (future) and losses (actual) can be measured over time.
- system degradation: like the first example, losses in this category (e.g. loss of potential trades due to DDoS attack) are easily quantifiable. The deployment of security technologies and processes in this space (e.g. malware protection, perimeter protection, etc.) is therefore easily allocated
- fraud: whilst this can mean many things to many people, fraud will manifest itself in any business and will always have a financial value, actual and projected. For example, online shops may be subject to credit card fraud and charge backs. Deployment of technologies such as 3D Secure and other authentication technologies will have a direct beneficial impact on fraud losses. Another example can be Intellectual Property theft, where DLP technologies/processes can be deployed to great effect, combined with the rest of the infosec armoury (e.g. authentication). Measuring the RoI of infosec technology and processes in relation to fraud reduction is an easy task.
The above are only three examples from many that exist in the real world and it would be an interesting exercise to try and compile a longer list (if you want to offer some more examples, you know where to find me and help is always appreciated!).
Evidently, infosec has to be run like a
business if you want to solve the infosec investment equation. Successful metrics will have one thing in
common: show me the money...
And talking about money, my next post will show you how to use fraud to derive successful metrics.
And talking about money, my next post will show you how to use fraud to derive successful metrics.
Until next time...
No comments:
Post a Comment