Security Metrics are About Illustrating Criticality vs Risk
Tenable Recently sponsored the publication of an ebook, Using Security Metrics to Drive Action. This ebook is a compilation of thoughtful essays from 33 CISOs and other experts, who all share their strategies for communicating security program effectiveness to business executives and the board. In this article, excerpted from the ebook, Genady Vishnevetsky, CISO for Stewart Title Guaranty Company, talks about how the criticality of assets impacts risk factors.
“Your chief executive officer (CEO) isn’t interested in how many vulnerabilities you have,” says Genady Vishnevetsky, chief information security officer of Stewart Title Guaranty Company. That’s not to say that the number of vulnerabilities isn’t important, just that when you’re communicating the strength of the corporate security program to your CEO and other members of the C suite, metrics like the number of vulnerabilities won’t provide useful information.
Your chief executive officer (CEO) isn’t interested in how many vulnerabilities you have
“The reality is, your program has to be risk driven,” says Vishnevetsky. “The same vulnerability can have different impacts on the asset, based on many factors.” Thus, your priority of addressing the vulnerabilities has to be directly related to risk of the asset to business. He explains using the example that by assigning each asset a level of criticality, if security is breached on a very critical asset, even if it has fewer vulnerabilities, it can cause substantial loss of revenue, reputation and even bring the company down. Alternately, you can have assets that have hundreds of vulnerabilities, but those assets have no associated critical data. The number of vulnerabilities may appear high, but because they’re lower on a scale of criticality, the risk is lower, as well.
Vishnevetsky says the most effective way to determine which metrics are important is to use a computational method that determines the value of an asset or set of assets to the business, physical location of the asset, segmentation, additional compensating controls and what types of vulnerabilities exist for those assets. That allows organizations to build a solid picture of the criticality of those assets. “These compile into metrics that convert these vulnerabilities or threats into a risk factor,” says Vishnevetsky. “So, this particular asset has a risk factor: assign it a number from 1 to 5, 1 to 10, or 1 to 100—it doesn’t really matter. It’s all comparative. You show your assets according to value as opposed to looking just at the number of vulnerabilities.”
When communicating the strength of your security program to the C suite, Vishnevetsky says that it’s important not to overwhelm them. “If I’m presenting to the executive team, it depends who’s on that team. Different executives will better understand metrics that are dear to their heart. You cannot tailor your metrics to every executive,” he says, “but you can select at most five metrics that are both qualitative and quantitative, and each individual will pick up something he or she understands.”
For example, Vishnevetsky says that the CEO will understand maturity level: our security program has a maturity of three out of five in this domain. In another domain, it has a maturity of one out of five, and another domain has a maturity level of four out of five. “That’s what they understand,” he explains. “It needs to be visual. It needs to be concise. It needs to be simple. Remember, they are not technologists who understand what the vulnerability is. They understand the risk to the business, and they understand the capability of your security program as far as how well it defends the business, how it helps to protect the business. That’s what they understand.”
They are not technologists who understand what the vulnerability is. They understand the risk to the business.
“The CEO probably needs to feel comfortable that you ‘get it,’ that you know what you’re doing. You can present him or her one or two simple metrics, usually a maturity and capability level of your security program,” he adds. “One or two and no more than that. That’s about all the metrics a CEO needs to know. Anything that deals with the number of viruses, number of vulnerabilities, number of penetration testing, number of scans—any massive numbers are going to blow their minds.”
- Get your copy of the ebook, Using Security Metrics to Drive Action
About the author
Genady Vishnevetsky is the CISO for the Stewart Title Guaranty Company. An established leader with experience in building successful security programs to protect enterprises against emerging threats, Vishnevetsky leads the security, governance, and compliance programs for a major real estate financial services company. In his past role as the vice president of security and information security officer at Paymetric, Vishnevetsky built the cybersecurity, governance, and compliance programs for the United States’ fifth largest payment processor of card-not-present electronic payments systems.