Back in my days as a CISO or even previous to that in various practitioner roles, there were two frequently asked questions by executives and management.
- Are we secure?
- How do we compare to $x?
Let’s start with the first question. Security is not binary. That is, it’s not a state of on or off. Security in it’s entirety should be viewed more like 256 shades of grey. It’s not a question of whether or not you are secure but rather how secure or insecure you may be. There are a lot of controls and decisions that go into that state, each of them pushing your state to more secure or less. Each of those controls and decisions have a lot of trade-offs.
What I’m really getting at, is that it’s a bogus question. But you can’t really respond that way so you take it with a grain of context and politely answer.
Now on to the second question, one that I find more interesting and more meaningful. A common concern amongst management is how they line up with the competition. If your security falls behind that of your competition they worry they will be burned by this and look bad. On the other hand, if they are way ahead of the competition, why? Sure it gives some level of comfort but are they spending too much on security? Could those dollars be better spent elsewhere? Ahh trade-offs again.
There may be many reasons why you need or should be ahead of your competition in securing applications and infrastructure. Perhaps you’re working in an infosec lagging vertical where “keeping up with the competition” means you’re a target of opportunity on the Internet. Being a target of opportunity can come down to how you stand up against a particular vulnerability versus those of your neighbors on the Internet or Google’s search index. Regardless of reason, you’re going to need data to back you up.
Measuring what’s important to your organization, industry and management is the best way to answer these questions. Include not only metrics around these but also benchmarks to compare how you are doing versus your vertical, the broader industry and internally. Pick and choose your metrics carefully and make sure they pass the “so what” test. You can benchmark in an automated manner in some cases as well as loosely through industry organizations such as the ISACs and other areas where your industry gathers.