Last week I attended the Infosecurity Council and had the previlege of spending some time with many security leaders, and I always find these meeting very interesting, as Iwill always learn something that I didn't know before. This meeting was no exception, before the meeting started, I was chatting with Andrew Yeomans (from the Jericho Forum), and the conversation went on to a feeling that some of the topics covered in several security conferences over the last year had been very similar.
Soon the topic moved on to what is different now in the security industry that is makes a difference in an organisation. As the conversation developed I was left with the following thoughts:
- Other Board level roles have mature metrics that they are able to call on, e.g. Human Resources (headcounts, etc.), Finance (monthy accounts, budgets, forcasts, etc.), Sales (current, forcast, etc.), R&D (new products, stages of development etc.)
- Security on the other hand, is not only not represented on the Board, but the metrics are not as mature, and recognised by either the security industry itself, nor even by senior industry practitioneers.
- Furthermore, most Board metrics that may be provided, will be out of date by anything up to a few days, without any loss in confidence in that Board member, Security metrics however, are only really useful if they are up to date, by up to a few hours.
This got me thinking further, (thanks Andrew), about:
- What the unofficial norm is across corporates (regardless of the security metrics they use), on how up to date do the metrics have to be to be meaningful to pass on to the Board?
- What level of confidence do security managers what the Board to have in the security function?
- Do you provide the same metrics to the business as you do to the Board? If not, which is more up to date?
- What is the balance between providing threat information and risk information?
Also, by not having a standard set of Metrics as other Board level roles (may) have, are we making it difficult to really understand the organisation's current security posture that the Board can relate to? I was left thinking that maybe we the Security Industry needs to have two lots of Board level Security Metrics, those that we can all agree to, and those that we don' agree on, as they will depend on the business and industry.
There are several people who have done some excellent work in this field, I will report back on this with a list of resources, with the hope of moving the discussion closer to something useful.