Recently I was invited to lead a war-gaming session at CISO forum on the topic of “Security Dashboard for Board” and that made me realize the importance of the topic. This blog is a follow-up of this experience.
The topic of Cyber-security did not fetch board-room attention until recently. Metrics and dashboards remained the subject matter of QA professionals. There is growing importance of cyber-security in today’s world where more and more business is conducted online. Board members are today interested to reduce business risk and cyber-security risk is certainly a top most risk in today’s business.
(1) Why Security Threats need to be monitored and reported?
All systems are prone to vulnerabilities that can be exploited by malicious software and agents. Developers and users of IT need to assess and manage the risk from the unavoidable security vulnerabilities and threats. One of the biggest challenges is to identify and measure relevant security parameters for supporting decision-making. Capgemini Cybersecurity survey sheds light on the risks the organizations are facing.
The determination of security parameters and their quantification can’t be trivial matter. On one hand the parameters need to be applicable to the low-level components and on the other the same parameter should be usable for very different purposes such as compliance with standards, contractual requirements, comparison with benchmarking, etc.
(2) What should be monitored and reported?
Both the internal and the external use of security parameters require evidence and should help stating the quantification of security factors. One needs to ensure right terminology of security parameters. Listed below are some of the key parameters around which security metrics need to be captured. It would be valuable to ensure that parameters capture two main dimensions - the severity and impact of the incidence.
(a) Application Security / Vulnerability Management
Application security encompasses measures throughout the code's life-cycle to prevent gaps in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.
• Vulnerability: a weakness of the (sub)-system, which can be exploited for impairing its services or affecting its assets.
• Threat: a potential for violation of security, which exists when there is an action or event that could breach security and cause harm.
• Attack: identified as a process implemented by a Threat Agent to exploit a system by taking advantage of one or more vulnerabilities.
• Countermeasure: is a set of actions to avoid/ mitigate undesired malicious actions against a system
Vulnerabilities can be discovered with a vulnerability scanner, which searches for open ports, insecure software configuration, and susceptibility to malware, buffer overflow, etc. In addition, antivirus software capable of heuristic can help discover undocumented malware (e.g. a software attempting to overwrite a system file).
Correcting vulnerabilities may involve the installation of a patch, a change in network security policy, reconfiguration of software (such as a firewall), educating users about social engineering, or incident management. Let’s discuss these- .
(b) Patch Management - involves acquiring, testing, and installing multiple patches (code changes) to a system. Patch management activities include (i) maintaining current knowledge of available patches, (ii) deciding what patches are appropriate for particular systems, (iii) ensuring that patches are installed properly, (iv)testing systems after installation, and (v) documenting all associated procedures, such as specific configurations.
(c) Configuration Change Management –is a process for establishing and maintaining consistency of a product's performance, functional and physical attributes with its requirements, design and operational information throughout its life.
(d) Incident Management - identifies, analyzes, and corrects hazards to prevent a future re-occurrence. Such incidents within an organization are dealt with by an Incident Response Team (IRT)/ Incident Management Team (IMT).
(3) Specific Metrics to be Reported in Dashboard
Financial / Business Metrics
- Information Security Budget as % of IT Budget
- Financial losses (direct and indirect) caused by security breaches
- Impact of damage to reputation and trust
- Cost of (Loss due to) data breaches
- Impact of Business disruptions caused by security incidents
- Risk Assessment Coverage (% covered against overall applications, against critical applications)
- Security Testing Coverage (% covered against overall applications, against critical applications)
- Vulnerability Scan Coverage
- % of Systems Without Known Severe Vulnerabilities
- Mean-Time to Mitigate Vulnerabilities
- Number of Known Vulnerability Instances
-Patch Policy Compliance
- Patch Management Coverage
- Mean-Time to Patch
Configuration Change Management
- Mean-Time to Complete Changes
- Percent of Changes with Security Review
- %f Changes with Security Exceptions
- Mean-Time to Incident Discovery
- Incident Rate
- Mean-Time Between Security Incidents
- Mean-Time to Recovery
- % of Incidents Detected by Internal Controls
(4) In Summary - Key Challenges in reporting Security Dashboards
Is it enough if above metrics are regularly reported and monitored? A good dashboiard can only provide a good starting point to deep-dive further and investigate more.
In summary below are the challenges in implementing a good metrics and dashboard program.
• Difficulty of estimating cost of data breaches
• Difficulty in detecting unknown malwares
• Difficulty in identifying new vulnerability
• Difficulty of ensuring controls during systems development
• Difficulty of getting attention for information security as a formal program at organization level
Finally, Dashboards can help but not replace need for foresight. Security Dashboards are critical for board to review regularly and act upon to save their organizations from cyber-threats.
Key focus of the board members is to monitor financial/business metrics to avoid financial loss, reduce damage to reputation and trust, avoid cost of data breaches and eliminate business disruptions. Unfortunately these metrics are not always easy to compute as no one wants to allocate budget thinking of potential incidents and losses.