INFORMATION SECURITY METRICS

CISOS NEED TO SPEAK THE LANGUAGE OF THE BOARD

THE STORY SO FAR…

PHIL CRACKNELL

WHAT I AM• INTERIM CISO• BOARD ADVISOR• FELLOW OF THE BRITISH COMPUTER SOCIETY AND A

CISSP SINCE 2001• 28 YEARS EXPERIENCE IN INFORMATION SECURITY• FORMER CISO (6 TIMES)• HEADED CONSULTANCY PRACTICES• FOUNDER AND CHAIRMAN OF CLUBCISO

• AND OF COURSE…

• CYBER SECURITY PERSONALITY OF THE YEAR 2015

WHAT I AM NOT• SELLING ANYTHING• GAINING OR PROFITING FROM THE METRICS

PROJECT• ANTI-VENDOR

CISO - “WE HAVE DETECTED 55,000 VIRUSES THIS MONTH!”CFO - “WOW”CISO - “AND THERE WERE 60,000 THE MONTH BEFORE!”CFO - “IS THAT BETTER OR WORSE?”- SILENCE -

CFO – “ARE WE DETECTING LESS BECAUSE WE ARE LOSING LAPTOPS OFF OUR NETWORK OR ARE WE BEING TARGETED LESS?”CISO - “ERRRR”- TUMBLEWEED MOMENT –

CISO – QUICK THINKING AND CHANGING THE SUBJECT - “AND WE’RE RIDDLED WITH MALWARE YOU KNOW…?”CFO - “HOW MUCH DOES THAT COST US?”

WHY THEM AND NOT US?• OUR PROFESSION (INFORMATION SECURITY) HAS LACKED A BALANCED,

INDEPENDENT AND COMMON UNIT OF MEASUREMENT, METRIC, KPI OR RISK INDICATORS.

• BY EXAMPLE, SOMETHING THAT CFOS HAVE HAD THE EQUIVALENT OF AND IS WELL ESTABLISHED AND TRUSTED;• EBITDA, PE VALUE, DAYS TO CLOSE, FINANCE HEADCOUNT RATIO ETC.

• WHY HAS THIS UNIVERSAL UNIT OF MEASUREMENT EVADED INFORMATION SECURITY PROFESSIONALS FOR SO LONG?

BUT WHY?• I’LL TELL YOU WHY, IT’S BECAUSE THOSE NASTY VENDOR TYPES GOT TOGETHER,

REALISED THAT WE WERE NEVER GOING TO HAVE ANYTHING PLAUSIBLE OR TANGIBLE TO SCARE OUR BOARD AND SO THEY KINDLY FILLED THE VOID, PRODUCING VALUE AFTER VALUE…

• SERIOUSLY, WE CAN’T BLAME THE VENDORS THOUGH, THE VALUES PRODUCED BY THEM, VALUES THAT WE HAVE RELIED UPON AND TRIED TO EXPLAIN IN TERMS THAT A BOARD CAN UNDERSTAND, GENERALLY REFLECT THE PERFORMANCE OF THEIR PRODUCT – AND WHY NOT?

PROJECT “METRICS”• BUSINESSES ARE WAKING UP TO THE FACT THAT THEY NEED METRICS/RISK

INDICATORS THAT OUR BOARD, AUDIT COMMITTEES AND NON-EXEC DIRECTORS UNDERSTAND, FOR THEY ARE THE KEY TO BUDGET, EXTRA STAFF, A CORNER OFFICE AND A JOB FOR LIFE

• OK, MAYBE TWO OF THOSE ARE NOT TRUE, BUT THEY WILL MAKE LIFE EASIER.• IT’S NOT UNCOMMON TO GET THAT MONDAY MORNING SWOOP-BY WHEN THE CEO

HAS READ SOMETHING IN THE SUNDAY TIMES AND WANTS TO KNOW “WHERE WE ARE WITH THAT ONE?”

• “AND WHAT ARE OTHERS DOING?” • METRICS, AS CLUBCISO ORIGINALLY DECIDED TO CALL THEM, ARE THE KEY TO OUR

FUTURE. THEY ARE BEING DEFINED BY CISOS ALONE, THEY DETAIL EXACTLY HOW WE DEMONSTRATE OUR EFFECTIVENESS, PINPOINT OUR RESPONSIBILITIES AND HIGHLIGHT INVESTMENT OR LACK OF IT, AND WHAT ENSUES…THEY WILL CHANGE THE WORLD.

HOW IT ALL BEGAN…• SO WE GOT 25 CISOS TOGETHER IN A WORKING PARTY, A COMBINED 350 YEARS OF INFORMATION SECURITY

EXPERIENCE, AND WE GRABBED A SUPPLY OF POST-IT NOTES, PENS AND ASKED THE CISOS TO WRITE DOWN WHAT THEY CONSIDERED TO BE THEIR TOP FIVE METRICS. HAVING STUCK THE NOTES ON THE WALL WE THEN PROCEEDED TO GROUP THE NOTES INTO COLLECTIONS OF SIMILAR VALUES. THE RESULTS SHOWED FIVE GENERAL ‘HEADINGS’ OR FAMILIES INTO WHICH THE MAJORITY OF POST-IT NOTES FELL. THIS WAS OUR STARTING POINT.

• IT’S NOT JUST ABOUT CREATING A FRAMEWORK FOR METRICS AND THEN INDIVIDUALLY PRODUCING THEM, WE HAD TO CUNNINGLY ESTABLISH A SECOND WORKSTREAM - A COMMUNICATIONS GROUP, TO LOBBY, EDUCATE AND INFORM AUDIT COMMITTEES, DATA PRIVACY OFFICERS, NON-EXEC DIRECTORS AND INFLUENCERS ON WHAT EXACTLY THE METRICS COULD DO FOR THEM.

• THEY MAY NOT FULLY APPRECIATE A TOP LEVEL METRIC AT THE MOMENT, BUT THEY ARE MORE THAN FAMILIAR WITH BOARD RISK INDICATORS, AND OUR TOP LEVEL METRICS WILL ULTIMATELY FEED INTO THESE ALREADY UNDERSTOOD VALUES AND ADD SOME FURTHER PERSPECTIVE.

• GOING FORWARD, WE WANT TO BE ABLE TO DEMONSTRATE ‘WHAT IF’ AND INVESTMENT MODELLING SCENARIOS TO SHOW TRENDS IF WE INVEST MORE, LESS OR DIFFERENTLY.

METRICS – TOP LEVELExposure

Agility

Culture

Incidents

3rd Party Management

Access & Controls

IF CARLSBERG MADE SECURITY METRICS…

THE DETAIL…

FINAL THOUGHT

Report what is important

not what you can

Email phil@info-secure.co.ukTwitter @pcracknell