Security professionals are grappling with information overload as the volume of data captured by security technology has increased in light of more rigorous compliance demands, increased infrastructure complexity, and a challenging threat landscape.
According to a survey of 257 security professionals conducted by the Enterprise Strategy Group (ESG), 43% of enterprises say they are collecting substantially more data to support information security activities today than they did two years ago. The ESG survey found that 54% of respondents have amassed, on average, a hefty 1TB to 50TB data store specifically devoted to security-related information.
Yet despite the copious amounts of data being collected, the question remains whether IT groups are poised to appropriately act on the information. The answer, according to security experts, is not so much. The problem? Data collection is typically orchestrated by disparate tools from a myriad of best-of-breed vendors, each charged with a different role related to collecting, assessing, monitoring, or alerting IT management to possible security threats. Each of these tools typically has a distinct reporting capability and format. The ESG survey results found that 52% of respondents have between two to five different tools to collect, consolidate and analyze data.
As a result of this deployment strategy, most IT organizations end up with segregated information silos. They struggle to bring all the data together into one central location for better analysis, and lack the actionable intelligence which is critical to maximizing the use of limited IT resources and drive better business decisions around IT risk.
To gain visibility into what's important from a business-critical standpoint, organizations need to trade up the information silos for a more holistic, metrics-driven approach. Caroline Wong, Symantec's director of regional product management, and the author of "Security Metrics, A Beginner's Guide," is a huge proponent that the right coupling of security data and proven metrics can deliver the actionable intelligence that can guide day-to-day decision making. Here's her take on the situation:
Q: Why are security metrics important?
A Security Metrics program provides the Information Security team with information for better decision making at both strategic and operational levels.
Security metrics are qualitative or quantitative measures of security program attributes. Security metrics enable a CISO to communicate the value of an information security program, enable investment planning and decision making, and drive necessary to change to improve the security posture of an organization.
An effective Security Metrics program serves as a guide for making day-to-day operational decisions while helping groups optimize the performance of existing technologies and processes.
Q: How do metrics help create a more secure organization?
The primary objective of measuring security is to improve the outcome of security controls and improve overall program effectiveness, but Security Metrics come into play for other reasons. Operationally, they can help identify and fix broken security processes, be used to prioritize and direct limited resources towards protecting the most valuable assets, and serve as barometer for ensuring that standard processes are working. Metrics also provide visibility into the current state of security initiatives and can be used to educate key stakeholders and Information Security program sponsors using a common language all can understand.
Q: What other benefits can security metrics offer?
Information Security is a continuous process and there is always more work to be done than resources to deploy. By highlighting the level of maturity of different aspects of an Information Security program, metrics are a tool for prioritizing initiatives, driving strategic roadmaps, and facilitating budget and resource allocations. In addition, the reporting aspect of Security Metrics details the quantity, severity, and importance of security issues so the appropriate owners can do what it takes to perform remediation and drive change.
Q: What advice can you offer organizations on building a security metrics program?
Clearly defined goals, buy-in from stakeholders, and specific messaging for key audiences are crucial elements to the successful design and implementation of a Security Metrics program. The best strategy is to start with a defined objective so that work is purposeful rather than falling into an exercise in collecting information for information's sake.
Don't be discouraged if the first attempt at gathering and analyzing Security Metrics data isn't a huge success. It takes time to understand the data discrepancies and it helps to reach out to practitioners involved in the process to get a sense of what's wrong and the best way to fix it. The upside to this clean-up effort is that broken processes are found and resolved along the way. Also, refrain from trying to produce the perfect data set before making the metrics public. Reporting data right away to process owners and stakeholders can go a long way towards the pursuit of cleaner, more accurate data.
Q: How can technologies help organizations with this challenge?
Aside from deploying various technologies to gather security metrics, organizations should also look to technology to help them gain actionable intelligence from the large amounts of data being collected. Ideally a solution that can gather data from various security solutions, apply advanced correlation and analytics, and then present it in compliance, risk and security metrics views is needed. It is also critical to have an approach that maps risk scores and security metrics to key business assets, allowing organizations to prioritize security tasks based on business context.
Symantec products work in concert to address this holistic, metrics and data-driven view of enterprise security. They include:
Symantec Protection Center Mobile, an innovative Apple iPad® app that puts security insights at the fingertips of IT security executives. Protection Center Mobile provides oversight of the IT security program, displaying key IT security metrics and business risk scores and enabling security executives to clearly communicate security status in business terms, anytime and anywhere.
Control Compliance Suite Risk Manager allows organizations to communicate IT risk in business-relevant terms and to prioritize remediation efforts based on business criticality of systems.
To find out more about how Symantec security products promote visibility and leverage metrics and analytics to foster better decision making, visit SPC Mobile
and CCS Risk Manager