Implementing security metrics that matter: Can you handle the truth?

Security teams are drowning in measurement requirements. So much so that more than a third of an enterprise security team’s time is spent on manual reporting, according to a study earlier this year.

On top of that, the measurements themselves are not well received. The strong majority of enterprises have concerns around lack of visibility, trust, or insight on the data they get from these measurements. 

It’s a big challenge and it’s going to get worse, fast. New regs, like the MAS Cyber Hygiene Notice for financial firms operating in Singapore, require a continuous 360° view of every asset across multiple controls. That’s a big step up from previous regulations. Because of these regulations, steps will have to be taken to reach higher levels of maturity.

In my work with security teams on measurement programs, I can see 5 maturity levels: 

Level 1 is ‘Hope and Pray’. Manual, questionnaire–based assessment. This is already no longer feasible.

Level 5 is ‘Enlightenment’.  Automation, 360° view of all assets, business alignment, security framework alignment. With more regulations around the corner, the need for these capabilities will become the norm. Eventually, it will no longer be acceptable to fall short in this regard.

So, what are the implications? 

The further along the maturity index we progress, the more the true state of security comes to light. The big question is, can you handle the truth? 

One of the more difficult parts of our job as security leaders is to be aware that there are hard truths about security. Communicating those to the accountable stakeholders, ultimately the board, could be uncomfortable. It is impossible to achieve 100% security, and we cannot assume we are protected if we don’t know what assets we have, whether controls are in place, and whether they’re performing. The truth is tough, but we need to face it to overcome it. Our customers expect it, and ultimately, they pay our wages. 

In my presentation at the FS-ISAC Fall Summit in Washington DC, I‘ll be talking about how Continuous Controls Monitoring can help on the road to Enlightenment. 

Presentation: Implementing Security Metrics that Matter 

FS-ISAC Fall Summit, Washington DC, Monday 18th November, 3.15 pm. 

It would be great to see you there – please feel free to come and see us at the Panaseer booth afterwards.