The initiative is part of theTrustworthy Internet Movement (TIM), founded and funded by Qualys CEO Philippe Courtot in 2012. The objective of TIM is to use the power of the global security community to advance industry-wide development and change. “Positive energy is crucial in this industry as mostly we deal with negative impacts, like budgets, malware and breaches”, said Kandek.
In line with those aims, organisations are invited to contribute easily-understandable security metrics that information security professionals can use to present to the business. “Let’s collect examples of what is working and their positive impact. It will provide a roadmap of the values we should look out for and what we should prevent”, he said.
Kandek gave the example of the US department of state introducing a formula for calculating a risk score for every computer. The visibility of risk scores creates a ‘security market’ of risk scores which the IT security team can use in order to influence staff behaviour.
The biggest threats get the highest scores, thereby making them a top priority. Within a year, the department was able to reduce its overall risk score by 90% by incentivising people to address the biggest risks as quickly as possible, Kandek told the audience.
Kandek also explained how Qualys has introduced “half-life”, a metric which records the time interval needed for reducing the occurrence of a vulnerability by half. Although dependent on sector, the initial half-life duration was thirty days, but is now averaging 25 days, with 16 days for IE. This half-life data is based on over 800 million scans annually by Qualys. “It’s our challenge to get to single digit numbers within the next six months”, he said.
Kandek announced that Qualys have committed to posting the monthly half-life benchmark for Microsoft’s Internet explorer on the TIM project page to support the security metric initiative.
Kandek concluded his keynote with a call to action. “There’s no secret, we have metrics data already, we just need to extract, pivot and share it from our security management tools.” Qualys, he said, will be reaching out to customers and experts for support.“If you’re interested in helping and collaborating or just in the data, sign up”, he said.