Expert Speak
Getting Security Metrics Right
Written by Hadi Jaafarawi, Managing Director, Middle East at Qualys
When I imagine the region’s CISOs staring unblinkingly at their ceiling as they try to get to sleep at night, I imagine the questions burning in their brains, robbing them of rest. Where are our vulnerabilities? Are we making progress on risk? What is the ROI of our cybersecurity suite? These and other questions are not answered by sleepless rumination, no matter how hard we try. No, they are answered through measurement. But therein lies the challenge. How do we extract the right metrics from the fog of complexity that is the modern IT suite? How do we supply tactical thinkers with accurate information at the right time?
Setting the table
We must begin by focusing on outcomes. If we ingest too many telemetry feeds, we over-encumber the SOC and defeat our purpose before we even begin. If you define what you want to achieve, then it becomes easier to choose those metrics that illustrate delivery or shortfall. After you have determined what good and bad scores look like for your metric, think in terms of a narrative that will resonate with the relevant audience — end users, senior stakeholders, and GRC (governance, risk, and compliance) teams. While telling your story, be sure to include the limitations of current measurement and how to improve on this, once buy-in from your audience is achieved, and more budget is allocated. Also, be ready to answer questions such as “Why now?” and “Why not sooner?”. Let your narrative paint a picture of an ongoing process that has room to mature.
When you start out, it will be necessary to baseline everything to summarize your organization’s cyber-risk posture, from the perimeter (however you choose to define it) to the personal endpoints of remote-working employees. From this, you can gauge the best preventative, detective, and corrective controls to introduce. As part of baselining, perform an audit of data-retention standards and measure the organization’s adherence to them.
Bread and butter
After having established your baselines, you are ready to select Bread and Butter (B&B) metrics. For the purposes of storytelling, B&B metrics should be split into two groups — Below the Line (BTL) for tactical and operations teams and Above the Line (ATL) for leadership audiences. For the former, metrics must provide insights into network environments and arm the SOC with the right information at the right time to allow rapid and effective decisions that can mitigate risk.
The baseline for BTL metrics will have established a picture of hardware distribution and associated risks. For example, mobile devices like laptops are viewed with more suspicion than desktops that are permanently stationed within controlled premises. By distinguishing between assets like this, we can identify vulnerabilities and target mitigations more intelligently. We can also establish better controls. Reviews of software will also be necessary.
Yes, examine servers and cloud-hosting environments, but do not neglect the errant personal device used by a WFH employee. It may be riddled with unsanctioned software and may be missing mandated applications and critical updates. Also missing may be the software agents that gather the very information needed by security teams. The percentage of assets that are missing such agents is another critical BTL metric because not only are these assets at risk but so are any assets with which they share dependencies.
When considering ATL metrics, we need to provide leadership teams with the right information to craft value-adding risk-management strategies. These metrics centre on strategy and the building of a more resilient security posture, so they often involve organization-wide measurement and risk scoring. Cumulative risk scoring can be helpful in giving a bird’s-eye view of vulnerabilities and their associated risks. A risk heatmap allows leaders to see at a glance where they need to direct resources. Sometimes that can be done by instructing teams to refocus their efforts.
In other instances, investment in a new tool or platform may be required. Perhaps the problem can even be addressed through a new policy or awareness training for end users. Care should be taken, however, not to be misled by high-level metrics when vulnerabilities in low-risk assets may obfuscate the organization’s averages. It may be useful to separate ATL risk metrics into device types such as clients, servers, network infrastructure, and so on, together with device roles.
Metrics such as these present decision makers with a view of elevated risk areas, which allows them to target cybersecurity investments. Further segmentation is advised between ATL metrics that cover internal networks and those that measure risk from external domains. As IT environments become more of a mixture of cloud and on-premises, understanding these risks separately helps leaders make better decisions about the source of risk and the extent to which they can control their exposure.
On-premises data centres and cloud platforms vary greatly in risk profile. On-premises facilities are physically more secure but challenges such as scaling, resources, and hardware maintenance remain. Cloud platforms solve these problems and present the added value of managed services and predictable costs. But when it comes to security, the shared responsibility model is a work in progress and the distribution of obligations between provider and customer represents many risks, including those associated with potential misconfigurations. It is important to get to grips with these details and balance the architecture of the environment with the organization’s risk appetite and business requirements.
Measure who you are
Organization-wide risk scoring may be critical, but that does not mean that we abandon more granular risk assessment. Segmentation can be done by geography, subsidiary, or business unit. Metrics that are tailored to these categories will lead to more actionable information. Again, stratification allows more efficient allocation of resources as teams deploy security measures intelligently to address unique challenges. Measurement must never stop, because threats never stop.
Genetec has shared a comprehensive set of data protection best practices to help physical security leaders protect privacy, safeguard data, and enable trust without compromising security. This initiative comes as a response to the escalating importance of data security in an increasingly interconnected digital landscape. By prioritising privacy, organizations can effectively contribute to a safer digital and physical landscape for all.
“Organisations should never have to choose between data privacy and security. By equipping physical security professionals with these essential strategies, Genetec is spearheading a paradigm shift towards a more resilient and trustworthy security ecosystem. It is an ongoing process, and organizations should regularly update protocols, stay informed and continuously educate their teams on best practices”, said Firas Jadalla, Regional Director – Middle East, Turkey and Africa (META) Genetec.
Genetec recommends organizations ensure their security systems respect data privacy by:
Collecting and Storing Only What You Need: A fundamental rule of data security is to collect and store only essential information. The potential impact of a security breach can be reduced by minimizing stored data. It’s important to regularly review and audit data and dispose of unnecessary information responsibly.
Limiting Access to Sensitive Data: Enhancing data security involves restricting access to sensitive information. Genetec recommends implementing data-sharing best practices, such as removing personally identifiable information to safeguard individual privacy. Techniques for anonymizing personal information while retaining its utility include:
- Randomisation by adding noise to numerical values such as an individual’s age or income)
- Pseudonymisation such as replacing names with unique identifiers
- Tokenisation such as replacing credit card numbers with tokens that have no direct correlation to the original numbers
- Generalisation such as converting exact birthdates to age ranges
- Data masking shows only the first few digits of a phone number
Ensuring Privacy without Compromising Evidence: By making use of technologies such as KiwiVision Privacy Protector, organisations can automatically anonymise images of people, so they can continue to survey surveillance footage while respecting privacy. This technology also offers an additional layer of security that ensures only authorized users can “unlock” and view unmasked footage while maintaining an audit trail.
Being Transparent and Getting User Consent: Building trust through transparency and user consent is essential. It’s important to communicate with users about the data collection process, promoting informed decisions. Organizations should also gain explicit consent before collecting and processing data.
Choosing a Reliable Data Storage Provider: Organisations should select a data storage provider carefully, ensuring a clear understanding of data storage, handling, and sharing practices. If using third-party services, organisations should demand strong security measures and reliable data handling practices. Establish who “owns” any data stored in the cloud, and any rights/privileges associated with the use or disclosure of any information.
Establishing Strong Policies: To ensure long-term data safety, Genetec recommends putting in place robust policies across the organization. Enforcing a transparent chain of custody through technology, such as a Digital Evidence Management System (DEMS), ensures accountability and traceability at every stage of the data lifecycle.
Written by Jim Richberg, Head of Cyber Policy and Global Field CISO, Fortinet (more…)
Written by Amr Alashaal, Regional Vice President – Middle East at A10 Networks (more…)
Video: Interview with Selim Bouri of Airbus at Critical Communications World 2024
Video: Interview with Yasar Arafath of Hytera at Critical Communications World 2024
Regional Leaders Chart Course for Secure Telecom Networks at SAMENA Leaders Summit 2024
Security Review – May-June 2024: CCW 2024 Special Edition
Mansoor bin Mohammed Inaugurates Critical Communications World 2024
Qualys Offers 30-Day Free Access to the Qualys Enterprise TruRisk Platform
CyberKnight to Focus on Zero Trust Security at GISEC 2024
Positive Technologies to Knock Out Email Threats at GISEC 2024 with New Service
Snowflake Launches Arctic LLM for Enterprises
Mansoor bin Mohammed Opens GISEC Global 2024 at DWTC
Video: Interview with Selim Bouri of Airbus at Critical Communications World 2024
Video: Interview with Yasar Arafath of Hytera at Critical Communications World 2024
Video: Interview with Bertil Brendeke of BotGuard at #GISEC2024
Video: Interview with Abdul Rehman Tariq of SolarWinds at #GISEC2024
Video: Interview with Prashant R. Menon of Check Point at #GISEC2024
-
Critical Communications1 week agoKirisun to Showcase DMR and PTToC Solutions at CCW 2024 in Dubai
-
Critical Communications1 week agoAirbus to Show Off Agnet Turnaround at Critical Communications World 2024
-
Critical Communications6 days agoNedaa Primed for Critical Communications World 2024
-
Cyber Security3 days agoRegional Leaders Chart Course for Secure Telecom Networks at SAMENA Leaders Summit 2024
-
Critical Communications4 days agoMansoor bin Mohammed Inaugurates Critical Communications World 2024
-
Critical Communications3 days agoVideo: Interview with Yasar Arafath of Hytera at Critical Communications World 2024
-
Magazine3 days agoSecurity Review – May-June 2024: CCW 2024 Special Edition
-
Critical Communications5 hours agoVideo: Interview with Selim Bouri of Airbus at Critical Communications World 2024