Information security may have been generally viewed in the past as something that’s difficult to measure, but security managers are now recognizing that metrics could make or break security budget allocations.
Justification of security spending is the top driver for establishing information security metrics, according to a recent Forrester Research survey of CISOs and senior security executives in 39 private and government organizations. Sixty-three per cent of the respondents are looking at security metrics to validate their department spending.
“Most information security managers realize that they can no longer keep asking for increasing budgets or use the excuse…that measuring security is simply impossible,” wrote Forrester analyst Khalid Kark in his research paper entitled, Defining Business-Centric Metrics for Information Security.
Kark said that in the past few years, information security spending has shown an uphill trend, becoming a substantial percentage of the corporate budget. But while security has been given “significant responsibility” in the enterprise, it has managed to operate “without real accountability,” until recently, he said.
Senior level executives are getting concerned about rising incidents of security breaches and starting to demand reporting from their CISOs on the effectiveness of the organization’s security controls, said Kark. In 2005, more than 52 million personal customer records were breached, according to Forrester.
Justifying security spending, however, is a “reasonable business requirement,” stressed Brendan Seaton, chief privacy and security officer for Toronto-based Smart Systems for Health Agency (SSHA). SSHA provides highly secure data centre and network hosting services to hospitals and other healthcare facilities in the province.
“I wouldn’t say that I’m under pressure from my organization to cut back on security spending; they’re just starting to say, ‘Where are you spending the money and can you provide us some evidence that you need that?’,” Seaton said.
While security spending has steadily increased in the past, Forrester expects security budgets will decline from 8.9 per cent of total IT spending in 2005 to 7.8 per cent this year.
Seaton explained that the decrease in security budgets is not an indication that corporate decision-makers are no longer seeing security as an important part of the business. Most organizations that have invested heavily on their security infrastructure in the past have now reached “operations maintenance” mode, sustaining past technology investments and keeping them up-to-date, he said. “We’re certainly not having to invest the same amount of money as we did in the start-up [phase].”
Obtaining the right kind of information from security metrics at the right time to satisfy the reporting requirements of C-level executives has also presented some challenges for CISOs, said Kark.
“Reporting the status of (the) security initiatives of multiple business units can be a tricky proposition,” wrote Kark. “Some managers may be reluctant to share status with other business units, while others may be comfortable and willing.”
He added that business units also need to be monitored and measured individually to ensure that each one is not introducing risks that are unacceptable to the business.
Forrester recommended three steps for developing information security metrics that involve both operations and business-centric measurements.
“Defining a set of operational metrics is a security manager’s highest priority,” said Kark.
The first phase of developing security metrics, according to Kark, centres on protecting the enterprise, which involves configuring security controls, identifying the gaps and providing measurements that determine the level of security of the organization.
In the second phase, security managers should add metrics that link the security objectives to business goals and risk tolerance, and ensure that identified risks are addressed quickly and appropriately, according to Kark.
In the last phase, security managers are encouraged to add metrics that focus on comprehensive risk management.
By combining metrics input from the first phase with external threat environment, security managers can present a solid analysis for future security directions, said Kark.
SSHA’s Seaton said that integrating security metrics with the organization’s risk management framework enabled his department to present a more comprehensive and compelling business case to the senior executives. SSHA began implementing security metrics about five years ago, but it only started to integrate it with the agency’s risk management system over a year ago, said Seaton.
He explained, “Looking back two or three years ago, I was honestly challenged getting traction with my executive colleagues for support…on security, but when I started [presenting it from the perspective of] the real business risks for the organization and the (business) consequences of a virus attack, then translate that into lost productivity and sale, all of a sudden [senior executives] start paying much more attention.”