This is a Q&A session with Ed Pollock, the Chief Information Security Officer at STERIS Corporation. Ed offers years of experience in the cybersecurity field and has offered some excellent advice about monitoring cybersecurity metrics.
What value do good cybersecurity metrics offer?
A good cybersecurity metric should do a few things. First, it should influence change within your organization. If your colleagues, for example, don’t understand how a particular issue or behavior is damaging the company, then they likely won’t see it as a priority. Presenting metrics allows you to foster good communication so you can influence these people. Also, a good metric should help you visualize the effectiveness of your processes, determine where they are strong, and find out where there are opportunities to improve.
Download Guide: 12 Cybersecurity Metrics Your Vendors (And You) Should Be Watching
You should still monitor fully optimized metrics to ensure that you continue to perform at the same level (or quickly understand if there is a problem). But on the whole, if your metric takes too much time to put together or isn’t helping to improve anything, it doesn’t hold any real value.
Which metrics do you measure regularly?
1. BitSight Security Ratings
As a customer, you expect that your vendor’s security is going to be as good as (if not better than) your security. But as a company, how do you measure your cybersecurity to make sure you’re meeting your customers’ expectations? We use BitSight Security Ratings, which has a number of great tools that allow you to benchmark your cybersecurity performance to both your competition and to your customers.
We create several metrics from our BitSight reports:
- BitSight reports will show you any security events that have occurred, so we put these up on the board and try to identify why they happened and what we need to fix.
- We look at our BitSight score in comparison to our competition, customers, and other industries, to see how we stack up at any given time.
- Through the diligence section of our report, we can see key indicators about whether we’re making the right choices in regard to security and other best practices.
2. Safety Cross
Probably the simplest metric we use is something you’ll find in many manufacturing facilities—the “safety cross.” It is really just a calendar in the shape of a cross. We use it to show if our nightly PCI and web security scan passed. If there are no issues, we use a highlighter to color the date green. If the scan fails because of a technical problem (and not a security problem) then we color it yellow. If the scan finds a security failure, then we color it red. Talk about a quick and easy metric! It takes less than a minute to color the box, but it’s a great visual aid.
3. Pareto Charts
I also like to use Pareto charts—which are simple bar graphs—to identify what is out of the norm and direct any remediation efforts. These charts are good for tracking the number of vulnerabilities your scanner finds on servers (or even desktops). Once this information is added to a Pareto chart, it is evident what machines should be investigated first for the root cause.
What are some important guidelines to follow when dealing with cybersecurity measures?
I would suggest these basic guidelines:
- Make sure you’re showing the right metrics to the right party. You’ll have different audiences for your metrics with different goals you are trying to accomplish. There are a few metrics that can span an audience from the system admin to the board member, but there are many that are specific to the party viewing them. For example, senior executives and board members don’t care how many computers have encryption; they care about making sure they are meeting their fiduciary responsibility and ensuring that the organization is appropriately secured.
- Utilize services and technologies that help you determine how you’re doing. Companies like BitSight help you assess your security by assigning scores or letter grades to different indicators. These ratings can help quantify your security based on a number of different factors. Using a grade in the metric is informative and inspirational, and it gives the team a sense of satisfaction when they earn the “A.”
- Select metrics that support your efforts to influence change and measure them at an interval that makes sense. Keep it simple and automate as much as you can. You need to be able to easily gather important security information and tell your “security story” without taking up too much time to put it together.
- Don’t waste time. I want to be able to update all of my metrics in about fifteen minutes. At STERIS we’re doing a lot of lean IT, where there’s a lot of metrics involved. One trap that some groups fall into is that they spend hours putting together their slides. In my opinion, this is a waste of time. You should simply determine how to get the right information and how to do it very quickly — which is what we use BitSight for. If I tried to get this information based on my intrusion prevention systems or my firewall, I’d spend all day doing it—and even then, it wouldn’t tell me much.
Do you have any final thoughts to share with readers?
I’ve talked a lot about how it is important for a metric to be easy to put together and to influence change. Something I didn’t mention earlier—but I think is very important—is that having a good metrics program is also about leadership. You can’t be afraid of failure by showing bad results, or your people will never show you “problem” metrics. They have to trust that you will use the metric to fix a broken process and that you won’t blame the people. If you can achieve that and gain their trust, you will be able to unleash their creativity to measure processes and find ways to improve. Be a leader—not a feared tyrant.
Here’s a quote I really like from Miracles Happen by Mary Kay Ash (yes — the Mary Kay from Mary Kay Cosmetics). I think it can be applied to metrics in that it motivates you and your organization to do better consistently, while at the same time not being afraid to try different metrics and see what works:
“Competition can be a very strong motivation. But I have learned that it becomes most powerful when you compete with yourself and when you learn from your failures.”
All in all, my philosophy is that metrics must influence change and be quick and simple—leadership needs to be able to accept that some things could look better and be on board with making them better. If you can accomplish those things, your cybersecurity metrics will be in good shape.
