Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

Measuring success in threat management programmes

Cisco : 16 October, 2014  (Special Report)
Sujata Ramamoorthy and Hessel Heerebout of Cisco continue their examination of unified security metrics programmes by discussing success measurement
Measuring success in threat management programmes

In response to today’s pervasive security risks, the Information Security (InfoSec) Team in Cisco’s Threat Response, Intelligence and Development group launched a Unified Security Metrics (USM) programme. The team’s intent was to create a consistent process to check for vulnerabilities and reduce network threats across the organization. A year into the programme, the team has discovered four proof points that show USM is working as intended. Organizations looking to create a metrics-based security programme can use these proof points to gauge their programmes’ effectiveness as well. As part of a larger security initiative, USM also produced valuable metrics showing what truly drives great results and outcomes.

1 Security Is Everyone’s Job

The task of securing information belongs to everyone and requires cross-functional expertise and cooperation. When everyone shares accountability for security, each team member becomes an agent of positive change. Part of the USM team’s success has come from the creation of two newly defined roles: Security Service Primes, who are the “Chief Security Officers” of their respective IT service area (managers), and Partner Security Architects, who are the Subject Matter Experts (technical leads). Neither is part of the InfoSec group, but each is fully trained on security and have broad responsibility to govern security. Designating this virtual team of trusted advisors throughout IT helps the InfoSec team scale and embed security into the IT team’s DNA.

2 Establishing a Risk Control Library

It is important to have a well-defined library of common controls within IT to manage risk in a fast-changing IT environment that includes cloud, virtualization and mobile computing. Cisco’s IT Risk Management (ITRM) uses a universal framework to manage risk globally in the areas of resiliency, Sarbanes-Oxley (SOX) compliance, Governance Risks and Controls (GRC) audits, ISO9001, Cloud and Application Security Providers and security.

Risk management reporting dashboards found within ITRM provide tremendous insight and visibility at both the service and application portfolio level. By incorporating security metrics into this ITRM framework, IT functions and service areas can make better risk-aligned investment decisions. The security metrics also help to increase efficiency and effectiveness in satisfying regulations, audits and risk compliance requirements.

3 Reporting Systems Are Vital

In order for IT service owners to make corrective actions in a timely manner, transparent reporting systems are vital. Quarterly reporting systems provide detailed security analysis, such as vulnerability and on-time closure metrics at the working, management and executive levels to help these groups drive remediation efforts, assess risk and identify trends. This transparent and inclusive approach has increased programme adoption among IT service areas and has also – somewhat unexpectedly – created a sense of competition among different IT teams to drive success toward improved performance.

4 A Bigger Picture for the CIO

Before making key decisions, CIOs typically want to get a “big picture” view of risk. This assessment often includes what is going on at the IT enterprise level.

The Pervasive Security Accelerator (PSA) is a wide-reaching CIO initiative at Cisco, of which the USM programme at Cisco is a part. Security metrics obtained from the quarterly ITRM dashboard give the CIO a consistent picture of Cisco’s security posture from disparate IT systems in a consolidated report, enabling prompt, responsive interaction for remediation efforts between IT service owners and the CIO. Ultimately, this leads to improved security performance.

Takeaways From Year One

Consider the iceberg. What makes icebergs so treacherous to ships is the fact that sailors can only see only 10 percent of its mass rising above the water; the remaining 90 percent lurks unseen beneath the surface. Similarly, metrics and numbers on a chart represent only the tip of an iceberg. Rich, meaningful and actionable data – when leveraged successfully – can drive great results and outcomes. As the USM programme embarked on uncharted waters, the journey taught us valuable lessons along the way, including:

Focusing on partnerships has been a key component of success for the USM programme. These partners include Service Security Primes and Partner Security Architects, who make up a virtual team of trusted security advisors. In cooperation with IT service owners, risk management groups and decision makers (including the CIO), these partners work in concert with Infosec to secure and protect Cisco. Because of InfoSec’s tight alignment with these groups, it is able to more effectively manage security investments, actions and processes globally. This enables advanced metrics beyond basic security hygiene to more sophisticated posture assessments (ie risk determination) within IT and other outside teams.

Even if a programme is ambitious, it’s a good idea to start small. That way the team is able to monitor, measure and adjust the security metrics programme as it goes. This measured pace allows for standardization of existing programme processes and enables the team to create IT service owner “champions” that can evangelize the security programme for broader adoption and long-term sustainability.

Training: A Potent Conduit

How will employees know how to participate in a new programme if they don’t receive training? Cisco uses formalized, ongoing programmes to train employees, such as the Security Knowledge Empowerment (SKE) programme. The programme expands security knowledge across the organization in curricula ranging from security basics to more in-depth classroom work, mentoring and group projects. When combined with Service Security Primes and Partner Security Architects, the SKE programme provides a potent conduit to expand security DNA throughout the company.

In order to build trust and credibility with multiple stakeholders, it is necessary to keep the USM process open, transparent and non-punitive. Stakeholders can count on InfoSec to consistently deliver reliable, unbiased metrics. Ample time is also provided for broad internal team reviews and remediation efforts, along with clear communication for next steps. As a result of these collective activities, shared responsibility and accountability become the norm, fueling early programme adoption among IT service areas and improved security performance.

To maintain consistent security metrics, communication process flow loops are critical. Establish a 13-week, quarterly timeline so that IT service owners know when they can expect their security data, where they can find the data (such as ITRM dashboards or portal sites) and how to interpret the data (reports). Keeping the lines of communication open enables users to access vital information in real time and creates better synergy and dialogue between groups to remediate any security issues found.

Risk metrics need to be regularly tracked by IT, but don’t over-engineer this. Begin by pulling data from IT system logs and dashboards. Infosec narrowed their data sources from 30 to five and, in doing so, drove security process improvement behaviors and action within IT. The key is determining what you want to measure and what outcomes you want to achieve.

IT infrastructure faces difficult security challenges today, within businesses and government entities alike. Cisco created USM to solve those challenges by defining a set of metrics and using them to measure the security posture of its IT services over time.  With greater visibility into the network, the team can more easily see vulnerabilities in key systems. As we address those vulnerabilities, the network becomes more secure. USM is an example of a programme that makes metrics-based actionable insights a reality with the ultimate goal of protecting critical assets.

The first part of this story can be found here

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo