Importance of security operational metrics and reports

Enterprise today has limited security resources and are strive to ensure the confidentiality, availability and integrity of data. The cost of securing operational assets and data is an important consideration. Each enterprise must find ways to balance between managing risk and cyber security expenditures.

Role of measurements and metrics in security operation center

Measurements tend to be determined by external factors, and generally are not impacted directly by actions taken by security professionals (example – number of attacks, number of denied firewall connections). Metrics tend to be indicators of ‘progress’ or ‘achievement’, and thus can be impacted by security professionals (example – average time to respond to an escalated ticket, average time to remediate a vulnerability after patch release) (also read – Transform you Security operations center)

Develop and Build Security Metrics Program

Enterprise to plan, develop and build security metrics program using industry best practices such as NIST guidelines. The program considerations should include

  • Metrics must be objective, quantifiable information
  • Underlying data required to develop metrics must be readily available
  • Track metrics only for repeatable security processes
  • Implement metrics to track execution of security policies
  • Effectiveness and efficiency metrics to track results to security service delivery
  • Risk related impact metrics to clarify the business consequences of security events

Security Operations Measurements

Enterprise should identify the measurements needed to understand the security operations workload and staffing requirements. The metrics that could be useful in managing the efficiency and effectiveness of security operations. The security leaders should outline process for how organizations can translate data regarding operational efficiency and effectiveness to clearer view of security risk. For example, the policy change metrics for security devices can categorized as depicted below

similarly for Vulnerability Management and Remediation can be categorized as depicted below (also read – ‘threat hunting‘)

likewise for Security incident response, the below sample metrics can be considered

Trends and Risks

In addition to measurements and metrics, organization need to establish process to work with data for trend analysis to identify security risks. The key elements need considerations are

  • Establish baselines
  • Identify Trends
  • Analyze Trends
  • Create Reports

The sample policy change latency and incident response latency trend & risk report shown below

Business Risk and Security Financial Reporting

Since most organizations operate with limited financial and resource constraints, they need to prioritize security activities to maximize business benefits. Hence its important to translate how the security risk are directly impacting the business risks that helps to define the ‘Risk based security strategy’. Security leaders should ask below questions to define the financials for security strategy programs

  • What level of business risk is acceptable from security perspective?
  • Which business assets and data should be prioritized to align security operations with acceptable level of business risk
  • What is the most efficient way to operationalize security to protect business critical assets and data
  • How do you measure progress in security business critical assets and data, and report on the level of business risk reflected in the organization’s security posture
  • How much will the organization need to spend to achieve its security and business risk mitigation goals

The two main sources to understand ‘crown jewels’ are

  • What are the assets and data tied to organization revenue generation
  • What are all the trade secrets and intellectual properties

When communicating to board on security financial reporting, its important to provide visibility beyond security operations and infrastructure. The value of security operations are only understood if the reports has evident information such as

  • Average security operations cost to address an incident
  • Average amount of business revenue lost from an incident
  • Average amount of regulatory and legal costs associated with an incident

The C-Suite often don’t have time to get into granularity of security operational metrics. Hence its recommended to provide them with view of Security Health Dashboard as depicted below