“Security metrics are the bane of my life”

December 09, 2019

Nik

Security teams are struggling to get to grips with security metrics.

The Panaseer team and I hosted a dinner at FS-ISAC in DC last month. It was a great evening full of interesting people and engaging conversations about security metrics and measurements. But one thing that stuck with me more than anything was when a banking CISO said: 

‘Security metrics are the bane of my life’. 

You might think that CISOs were more challenged by the latest threat actors, their attack techniques, or changes to their business operations. But more and more, particularly in financial institutions, the biggest problem lies in generating security metrics.  

This point resonated with others and sums up the challenge for plenty of security leaders. Security metrics are painful. It’s difficult to know what to measure – and even more so with any confidence in the reliability of those measures. And it’s manual. Painfully manual.  

There is ever-increasing scrutiny on security – our budgets, our models, our data. As a result, there is also a growing, industry-wide discussion about security metrics. That is, in my opinion, a very good thing. I said in my presentation at FS-ISAC that measurement and metrics have become the rock and roll of security. There’s more discussion and ideas than ever in the community – it’s an area of security which is ripe for automation.  

Too many requests for data 

So what’s the problem? As scrutiny increases, our security teams need to answer more questions, faster, with greater accuracy. Simply put, there are too many requests for data and too little automation to get them all done. 

On one hand, and done well, I don’t think this is a bad thing. Regulators and auditors are there for a reason – to push us to improve security and protect our customers. But on the other, it’s getting harder to keep up. And they could help us out by standardising and coordinating their requests… 

There are constant manual interactions and exchanges of data between the security team and other stakeholders. Requests are increasing in number, requiring more detail, and becoming more complex. 

This may just be a quick call saying, ‘Can you verify X for me?’. But more likely an email chain passing spreadsheets and reports backwards and forwards. But as these micro-requests gather up around the macro-requests, and teams are required to go back to each individual data holder or tool, it becomes a serious drain on resources. 

I recently met with the head of GRC for a US bank, who had a request from a regulator of 200 questions, with a turnaround time of two days. That is a lot of work in a short space of time, with no prior warning. A big undertaking and seriously disruptive to those people actually operating security to have to stop and answer questions about it.  

Security professionals don’t grow on trees. Why are we wasting a third of their time on manually reporting various interpretations of untrustworthy data? Couldn’t that time be better spent on actively improving security posture, rather than reporting on it?

Metric automation is the answer 

One solution is to automate the production of security metrics. The first step is a correlated, ground source of data from our security tooling that’s available to both security and GRC teams. One that is robust, verifiable, and able to answer the key questions that are being asked.   

That means everyone is singing from the same hymn sheet, and everyone is happy to stand behind the answers they give to these various questions because the data can withstand scrutiny. 

Continuous Controls Monitoring (CCM) can automate the collection, collation and presentation of security data. It gives all stakeholders a single source of truth, with timely and reliable data that everyone can agree on. This reduces the strain on the security team and gives internal and external stakeholders the answers they need when they need them.  

We recently caught up with Jim Doggett, former Chief Technology Risk Officer at AIG and Panaseer Board Advisor, to discuss how CCM can make stakeholder reporting more accurate and less time-consuming.

If you’d like to learn more about how CCM can help automate the production of security metrics in your organisation, book a demo with our team.