When security professionals talk with executives about security a four letter word normally comes to their mind - COST. During the economic downturn of 2008 and 2009, we saw flat budgets for security, layoffs, and more work to be done even though there was a marked increase of investment into so called "malicious" entities that commit fraud, identity, theft and other crimes through the use of malware and other attack vectors(Social networks, etc). Security professionals are left in a precarious position in that they are more concerned about the sophistication of recent attacks than ever and feel that their existing technology won't combat the new threats. Since the tools and technologies they have won't help the newest threats they are fighting, the security professionals must ask for additional funding to procure the new technology and that is where the problem starts. Most security professionals are like a deer in front of headlights when they need to justify or communicate additional investment in security. It is not their fault though as most education for security professionals never talks about IT security metrics, how to communicate security value, and, even though it is a soft skill, how to talk with executives.
This paper and presentation aims to change this. IT Security metrics are a growing topic for many security organizations as they flay about looking for ways to communicate the reasons why the business should provide additional funding to the security team when many executives simply assume that if the threat didn't happen last year, it won't happen this year.
In June 2010, we will be launching the last step in our research of this topic. We will leverage the readership of InformationWeek, of the largest IT magazines, and survey the IT security professionals to learn what metrics they are use, why they are using them, what is and is not working, and how the communicate to their executive management. We will take this survey data in addition to the data from a many interviews with CSOs and IT Security process engagements with clients over the past year and half to educate the attendees on the best practices to address this growing problem.
Our research to data has shown some amazing trends that we believe will surprise attendees and change the way the currently "sell" security to their management. For example, we found that the organizations that had the highest continued investment in security usually did not have that investment lead by IT Security. That's right, the more IT security was "out of the equation" the more likely the organization was to actually provide funding. Of course, the devil is in the details and we found that this is because the committee or team that proposed new IT security investments was usually made up of 3-5 people with only one person being an IT Security representative. The format of their meetings in which they reviewed IT security progress and potential needs for investment focused on educating the other 2-4 members of the committee about the security value through the use of real-world business applicable scenarios that actually involved the team members of the executives in the room, and most importantly, was mapped to business strategy. There is an overwhelming correlation between the linkage of business strategy and IT Security to successfully funded organizations in our research.
Linking security metrics, which is normal esoteric and very technically oriented, to strategic business objectives is difficult for many security professionals but leveraging the approach of using the Balanced Score Card business strategy method, but adapting it to IT security, has shown to be the key factor for making the link occur.
Within our presentation we will provide a step by step process to building and implementing an IT security Metrics program, tying that program to Business strategy using the Balanced Score Card method (the most used method for documenting and quantifying business strategy), and then provide case studies, and results from our interviews and survey, to educate the attendees on how to communicate effectively in the board room when asking for security investment.
Although we will release results of our interviews and survey's, the focus is education through case studies and the best practices we have found to work when implementing the three areas of security required to effectively communicate security value: Measurement, Business Justification, and Communication skills.
This is the missing link for most security professionals to take their career to the next level.