Maksim Kabakou - Fotolia

Security Think Tank: Focus on metrics to manage risk

How can security professionals help their organisations move from traditional governance, risk and compliance to integrated risk management that integrates risk activities from across an organisation to enable better strategic decision making?

IT systems, in general, are moving towards software-defined networks and governance. From oversight and governance regarding IT networking to deployment of systems, much is software defined, and managed as such.

Governance is also moving in this direction through software-defined governance, where services such as configuration management, patching and vulnerability management orchestration are increasingly automated.

Compliance dashboarding and tracking compliance metrics was the first step in measuring governance, but we’re moving towards auto-configuration management and compliance monitoring via software-defined solutions.

Software-defined governance helps with integration to risk management since metrics and data can be collected and processed on a near real-time basis. This provides an overall view of risk and governance from a single standpoint, which can in turn result in rapid response and ease of oversight in an organisation in continuous flux.

Understanding and having the correct metrics certainly assists with making strategic and operational decisions quickly. Trends over time push strategy, while real-time metrics can assist with operations.

Information security professionals can assist by focusing on metrics, as we can’t improve what we can’t measure. Many metrics of value in the information security world overlap with risk management and overarching strategy. Items such as system stability, usage downtime, vulnerability density and time to fix – to name a few – can all be used to assist with focusing one’s budget on doing the right things to move the dial in a positive direction.

Information security needs to look at integration and alerting, and how these events and associated data can be correlated with other business as usual aspects of the organisation. Metrics and alerting integrations can provide strategic “food for thought” and assist executives in considering where to allocate budget and resources. For example, a business unit with a high vulnerability count may require training or improvements to maintenance or deployment. By detection of the symptom, we can try to understand the root cause and act accordingly.

Read more about integrated risk management

  • Turnkey Consulting’s Simon Persin considers the operational approach to integrated risk management.
  • To be sufficiently effective and efficient, the ability of organisations to discover, manage and mitigate digital risk requires greater integration between internal functions, says Ovum’s Maxine Holt.

There is a wide overlap between governance, compliance and IT security if data is “merged” in this way. We can analyse high-level trends and “drill” deeper into technical and root cause of symptoms which provides us with both operational and strategic views of the same issue. The traditional method of receiving reports from internal/external consultants, tracking the discovered non-compliant issues, rinse and repeat is just way too slow to keep pace with the rate of chance in a contemporary environment.

An integrated metrics-driven approach using some decent analytics can change the posture of any organisation significantly. Metrics to consider which can assist risk governance are suggested as follows:

Development security touchpoints and toll gates: Gather metrics relating to security fails early on in the system development lifecycle. Earlier detection is cheaper and more effective. Root cause identification can assist with quality and compliance (and also security posture).

Simple fixes can result in huge dividends: Tracking security posture of non-compliant live systems (for example, systems not configured correctly or systems which require patching). Trying to answer questions such as “why, how, where” in terms of misconfigured or neglected systems. The measure of time-to-remediate (TTR) is a by-product of this.

Mean time to remediation: Measure how quickly system vulnerabilities are being fixed and if they are being fixed at all. Many compliance requirements demand continuous improvement and evidence you are taking compliance seriously.

Establish asset inventory: Automated continuous profiling can aid updating an asset inventory in near real time. Visibility and scope are a common root cause for non-compliance or breach – for example, “We did not know that server existed…”.

The traditional approach of using siloed (standalone) tools and processes no longer workd. Integrations into governance ecosystems are key to achieving an overall view of an organisation’s risk landscape.”

Read more on IT risk management