Steve Riley is a Field CTO at Netskope.
getty
Managing your security program and tracking its progress over time requires measurement. You’ve probably seen recent report stats about the average time to detect and/or mitigate a breach. While those numbers can help tell an important story, they’re really about cybersecurity efficiency—measuring how fast we’re doing something. But efficiency isn’t the same thing as effectiveness, which is measuring how well we’re doing something.
Cybersecurity programs are often broken down into three components—people, processes and technologies. The ongoing worldwide shortage of security talent typically compels us to boost the effectiveness of processes and technologies to reduce friction on people, balance the allocation of staff resources and help at least retain the current members of your team.
Process Effectiveness Survey
A primary outcome of measuring security policies and processes is generating data to make specific recommendations for process improvements. These measurements help ensure that the actions you take align with your control objectives.
To start, security leaders should use these five questions to survey their teams about existing processes.
• How confident are we that the process identifies/neutralizes threats and locates/protects data?
• How easy is the process to follow?
• Does the process support or annoy users?
• Is this process well-defined, or is it difficult to figure out how to make it work?
• How consistently does our group execute this process?
Then create a matrix. You can bucket the responses into four groups.
• High Confidence, Low Effort
Supports users and keeps us secure. Continue applying these processes!
• High Confidence, High Effort
Annoys users but keeps us secure. How can we make the user experience better?
• Low Confidence, Low Effort
Supports users but leaves us insecure. How can we improve our protection stance?
• Low Confidence, High Effort
Annoys users and leaves us insecure. We should retire these processes.
Measuring Awareness, Responsiveness And Alignment
It’s also useful to measure awareness, responsiveness and alignment to help evaluate process effectiveness.
Awareness
Awareness covers what we know, how we know it and if we see it when it happens. The infosec team should start by asking themselves: Do we understand the value of our data?
More often than not, this leads to the infosec folks engaging and asking themselves a deeper level of awareness questions: Does the value of that data inform our processes? Are our processes supportive of the value of that data, or do they maybe get in the way of realizing the value of the data?
Another measure of awareness could be the ratio with which you detect and mitigate a threat (versus just getting blindsided by an attack). This may be a reflection of a risk management team’s maturity. More mature teams are going to detect threats more accurately and quickly, while people who are just getting started may end up getting blindsided more often. And there’s nothing wrong with that—so long as they learn from those experiences and reduce the number of times that something surprises them.
One way to help do that is by chatting with peers—other companies that are in the same business. What threats are they seeing more often than others? You can orient yourselves around the kinds of threats that are common for businesses in the same industry or of similar size.
Responsiveness
Responsiveness measurement helps answer whether you are helping more than hurting when something happens. Infosec and risk management teams should start by asking themselves: Do we receive appropriate alerts with all the necessary information to launch an investigation? If they’re not getting good alerts, then they’re not going to be able to do anything else. So the answer to that question should be yes—and if not, go fix that first.
The next question to ask is: Have we practiced our responses? In reality, reacting to threats is a rare event. On most days, teams are not reacting to anything. But when something nefarious emerges, what are you going to do? Instead of pulling some dusty old playbook off the shelf, teams should practice their incident response behaviors on at least a quarterly basis—so that when an actual attack happens, they’ve already got the necessary steps baked into their fingers.
The next question is the key to effectiveness measurement: Are we sure that the mechanisms we have for responding to incidents help mitigate future occurrences? Avoid continuing to execute a process if it’s not helping you reduce the likelihood of a similar vulnerability taking you down in the future. It’s also a good time to ask: Is our responsiveness helping us improve uptime and productivity?
Finally, you want to be sure that the infosec and risk management teams are being equally responsive across all business units. It may feel natural to want to give some business units more attention than others—and perhaps there’s a fair business justification for that from time to time. But you want to make sure teams are paying attention to all of the business units throughout the organization and not letting anybody go unattended.
Alignment
Alignment means making sure processes are in sync with business objectives. That’s actually not as difficult as it might sound. If we’re going to change or build a new process, whose input do we need? And besides input, who else do we need to get involved in this effort to change or build a new process? Which business units will this process affect? Who else needs to know, and how do we communicate it? These questions can be a useful guiding framework for coordinating security changes with other people who might be affected in the organization.
Then finally, it’s always good to ask: Is this process something that we can automate? And if it is, it’s also worth considering whether you should obtain outside expertise to help you develop that automation framework.
Improving Process Effectiveness To Reduce Pressure
That’s it for process effectiveness measurement. In part two, we’ll go over measuring the effectiveness of technologies and tools—and also summarize why improvements in both of these cybersecurity domains help decrease pressure on the third point in our security triangle (people).
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
