This is a Q&A session with Ed Pollock, the Chief Information Security Officer at STERIS Corporation. Ed offers years of experience in the cybersecurity field and has offered some excellent advice about monitoring cybersecurity metrics.
A good cybersecurity metric should do a few things. First, it should influence change within your organization. If your colleagues, for example, don’t understand how a particular issue or behavior is damaging the company, then they likely won’t see it as a priority. Presenting metrics allows you to foster good communication so you can influence these people. Also, a good metric should help you visualize the effectiveness of your processes, determine where they are strong, and find out where there are opportunities to improve.
You should still monitor fully optimized metrics to ensure that you continue to perform at the same level (or quickly understand if there is a problem). But on the whole, if your metric takes too much time to put together or isn’t helping to improve anything, it doesn’t hold any real value.
As a customer, you expect that your vendor’s security is going to be as good as (if not better than) your security. But as a company, how do you measure your cybersecurity to make sure you’re meeting your customers’ expectations? We use BitSight Security Ratings, which has a number of great tools that allow you to benchmark your cybersecurity performance to both your competition and to your customers.
We create several metrics from our BitSight reports:
Probably the simplest metric we use is something you’ll find in many manufacturing facilities—the “safety cross.” It is really just a calendar in the shape of a cross. We use it to show if our nightly PCI and web security scan passed. If there are no issues, we use a highlighter to color the date green. If the scan fails because of a technical problem (and not a security problem) then we color it yellow. If the scan finds a security failure, then we color it red. Talk about a quick and easy metric! It takes less than a minute to color the box, but it’s a great visual aid.
I also like to use Pareto charts—which are simple bar graphs—to identify what is out of the norm and direct any remediation efforts. These charts are good for tracking the number of vulnerabilities your scanner finds on servers (or even desktops). Once this information is added to a Pareto chart, it is evident what machines should be investigated first for the root cause.
I would suggest these basic guidelines:
I’ve talked a lot about how it is important for a metric to be easy to put together and to influence change. Something I didn’t mention earlier—but I think is very important—is that having a good metrics program is also about leadership. You can’t be afraid of failure by showing bad results, or your people will never show you “problem” metrics. They have to trust that you will use the metric to fix a broken process and that you won’t blame the people. If you can achieve that and gain their trust, you will be able to unleash their creativity to measure processes and find ways to improve. Be a leader—not a feared tyrant.
Here’s a quote I really like from Miracles Happen by Mary Kay Ash (yes — the Mary Kay from Mary Kay Cosmetics). I think it can be applied to metrics in that it motivates you and your organization to do better consistently, while at the same time not being afraid to try different metrics and see what works:
“Competition can be a very strong motivation. But I have learned that it becomes most powerful when you compete with yourself and when you learn from your failures.”
All in all, my philosophy is that metrics must influence change and be quick and simple—leadership needs to be able to accept that some things could look better and be on board with making them better. If you can accomplish those things, your cybersecurity metrics will be in good shape.
Security ratings, or cyber security ratings, are a data-driven, objective and dynamic measurement of an organization’s security performance. Thousands of organizations around the world use BitSight Security Ratings as a tool to address a...
While many IT, security, and risk professionals have developed good metrics and visuals for communicating internally about cyber risk, such as the safety cross and pareto charts, reporting on cybersecurity to non-technical individuals...
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469