Making Security Metrics That Matter

Making security matter to the business

What are the strategic goals for your organization in 2012? Can you recite them off the top of your head? If you can’t, you’re not alone. The inability of enterprise security teams to answer those questions is one of the biggest obstacles facing our discipline today, and it’s the biggest reason current security metrics do not grab the attention of organization leaders.

Know Why You’re There: Business Productivity

The traditional role of security in the organization has been that of a cost-center to be minimized. Besides preventing breaches, security’s success has historically been defined by internally developed measures. We work to create best-practice metrics that show how mature the security program is, and we pass them around to one another as indications of our success. Unfortunately, those kinds of security metrics do not speak to the heart of the business.

IT has made the shift from support to delivering value. Security must follow.

In many organizations, both small and large, IT has successfully made the transition from its traditional role as a support service to driving business value. In manufacturing firms, IT has provided huge returns in implementing ERP (enterprise resource planning) and MRP (material requirements planning) systems. In marketing organizations, IT provides direct business value in improved marketing through analytics and improved CRM (customer relationship management) solutions. And in many software and solution companies, IT actually is the value the business offers, either through technical skills or solutions made by IT.

So far, security has not managed to make that same shift. We are still implementing security based on our own priorities and goals, rather than on what makes the larger organization successful. Whenever we talk about the success of our security program in terms of adherence to an industry standard, a best-practice or a framework, we’re defining our goals based on the requirements of a third party; a third party who does not have the specific interests of our organization in mind.

I am not suggesting we should abandon frameworks and build everything from scratch. In fact, I strongly believe that most security programs should be built to a framework. But it’s how we customize our specific implementation and how we view that framework that differentiates a business-enabling security program from a stifling one.

How Security Meets Those Objectives

A successful security program starts with the goals of the organization and flows from there. As an example, consider the differing needs of two organizations.

  1. A small software development shop with a couple dozen employees, selling consumer software to end users.
  2. A large manufacturing and retail organization that sells primarily to professionals and corporations.

Company 1 needs to create highly innovative software and get it into the hands of the consumers quickly, while trends are still hot. Company 2 needs a extensible program that can integrate with numerous vendors and partners without adding crushing overhead to the supply chain, and repeatable, provable procedures that can be demonstrated to customers and regulators. Can you imagine trying to implement the same type of security program for both of these companies? Unfortunately, that’s exactly what many security practitioners do. The key to success in both of these organizations is in understanding how the organization can be successful, and implementing security in a way that supports that success.

The objectives of the business should dictate the initiatives of the security team.

For Company 1, security must create efficient ways to rapidly enable the company to go to market, without suffering from devastating security breaches. For this security department, it may entail security initiatives like: (1) secure coding training for developers, (2) security consultation during the software architecture process, (3) automated code review as a part of the development process, and (4) vulnerability scanning and on-going penetration testing as a part of the QA cycle.

For Company 2, the organizational goals are to improve supply chain efficiencies, and reduce the overhead of achieving regulatory compliance. To provide support for these initiatives, security will (1) implement a federated sign-in solution to allow better collaboration between organizations, (2) create a tiering system for vendors, to maintain high security requirements for those vendors with access to sensitive information, but reducing the requirements on vendors without sensitive access, (3) ensure procedures and auditing exist for all processes that are required for compliance, and (4) ensure that disaster recovery plans are created and tested for all critical business functions, in compliance with applicable regulations.

Metrics That Make Sense… To The Business

After we’ve created these security initiatives that address our company’s goals, we need to measure it and show it off. Note the difference between the metrics used by Company 1 and Company 2, and how the security teams uniquely demonstrate and measure the value added to their business. First, we take the organization’s strategic goals. Under those goals, we list the security programs that we’ve implemented to support them. Next, we determine metrics that will explain how those initiatives help the business. The key here is that those metrics must be in words that make sense for the business, not for the InfoSec department.



Gone are metrics like “vulnerabilities found” and “patch level.” In their place are metrics that directly address the priorities of the business. By crafting the metrics in the language of our business leaders, we are demonstrating the value of their security investment in a way that matters to them.

Context is essential. Security measures must be written in the language of the business.

Context is key. Security exists within the context of the company that employs it. Understanding the objectives, motives and vernacular of the industry are critical. A software company may want to read about features released, time to market and improved quality. But a bank is interested in fraud cost reduction, regulatory compliance and accounts added. Knowing what makes your organization successful is essential in capturing the right metrics.

In order for security to have a seat at the table in overall business strategies, the business leaders must see that security is up to the task. They want to see that security is delivering tangible value to the overall organization. Mapping our initiatives back to strategic goals and reporting our results in the language of the business are the best ways to demonstrate that value.

Connect with


Security’s Fundamental Truth and Problem

Overcoming Security’s Fundamental Truth & Problem

You’ve heard it before, right? “Security is inversely correlated to convenience.” This is not news. It is convenient to be able to sit right down at a computer and have access to all the data. It’s not convenient to lock our car doors, shred our credit card bills, or drive at the speed limit. Yet most of us do these things (at least sometimes) because we want to keep our stereo, protect our identity and avoid dying in a traffic accident.

It’s this very nature that makes security so difficult for business people and IT folks to readily accept. Security really is hard. It is inconvenient. It takes a 10 minute process and turns it into 11, 15, 30 or 60 minutes. This is a hard fact. Why wouldn’t our business partners give pause when security comes with these kinds of burdens?

So, what can those of us in the security team do about this? First of all, we need to acknowledge it. Don’t pretend that security has no productivity cost. Explain to our business partners that yes, security does impact their productivity. Then lay out the pros and cons. A firewall will slow down the time to provision that new web service… but it will better ensure that the service can remain online (by preventing threats to its availability), the data behind it is not leaked inappropriately, and that the company can continue to function (by demonstrating security compliance to the necessary regulatory bodies).

Security negatively correlates to convenience, but remember, correlation does not imply causation

Admitting to the problem is the first step. The second is working to reduce this impact. Yes, we know that security negatively correlates to convenience. But never forget that primary rule of statistics: Correlation does not imply causation! All too often we forget that. And fortunately, there are ways to implement security that are convenient.

50 years ago seat belts were not universally allowed in cars. They were uncomfortable, restricting… let’s be honest, they were inconvenient. While the auto industry has tried to make them more convenient, it’s largely failed. (Is anyone a fan of those automatic seatbelts? I’m perpetually waiting for them to open or close.) As we kept our eyes focused on seatbelts, an interesting thing happened. Airbags emerged. Seatbelts are inconvenient. Airbags are not. Airbags allow us to increase our safety while we drive, just like seatbelts do, but they do it in a way that the user doesn’t even notice they’re there.

Information security is similar. No, we cannot eliminate the inconvenience to users, but we can find ways to maximize our security while minimizing our level of intrusion. Think about physical security. Years ago we all had a metal key to enter our offices. While not the epitome of inconvenience, fumbling for the key to get in often encouraged our employees to just leave doors propped open or unlocked. And if the key gets lost… forget about it. We had to rekey the lock and make a new key for everyone. But today almost all organizations use proximity cards to provide physical access. These cards increase security by allowing us to provide granular access to certain areas for individuals or groups, easily terminate a lost badge. But best of all, they do it while improving convenience for the end-user. It’s a lot easier to simply hold a badge near a reader than fitting the key into the lock. Easier for the end user and easier for the administrators.

Invest in areas where security can enhance the user experience

We in information security have a similar opportunity. While we cannot completely eliminate the inconvenience associated with security, we can capitalize on those areas where security can be improved while the user experience is enhanced, untouched, or minimally impacted. Before implementing a new security measure we should plot it on the User Impact chart.


Enhanced. This is the sweet spot. But, it is also the most difficult conditions to create. Web filtering is a good example of a place where we have added both security and improved the user experience. By automatically blocking the execution of malicious code, not only is the system made more secure but the end-user does not have to deal with unexpected website actions, computer slowdowns and freezes. Remember back when websites could create an endless stream of popups? Our improvements to security have eliminated that annoyance and made surfing the web more enjoyable.

Status quo. This is the situation where we can implement security that is invisible to the user, requiring no additional steps or changes to their processes. Spam email filters, and well-tuned firewalls fall into this category. If they are implemented appropriately, the user shouldn’t notice that these systems exist.

Minimal impact. This category includes technologies that do impact the user experience, but do so in the smallest way possible. Adding in-line confirmation of choices, and requiring complex passwords are security measures that require some degree of inconvenience for the user, but do so to realize large gains in security.

The goal is to drive our security solutions further up this chart. As much as we can, avoid the red, productivity hindering areas. Reducing the degree of user impact is essential to creating a security program that not only reduces risk, but does so in a way that enables the business. As we evaluate which technology to pursue and implement, there are many factors, including threat analysis, financial implications, and business strategy. User acceptance should be included in that evaluation.

Strive to maximize the number of projects that enhance or have no impact on the user, and only implement solutions that negatively impact the user when there are no other acceptable options available. As information security searches for ways to show value to the organization, the fastest and easiest way might just be to stop hindering our employees’ productivity.

Connect with