Security analytics and metrics are as important to the business as any other key performance indicator – such as liquidity, cash flow, or growth in sales or revenue. Today, more boards and leadership teams are demanding that key security analytics and metrics be included in the operational risk portfolio. This puts pressure on security teams to provide analysis and insights that give management the risk intelligence they need to drive better performance.
Security analytics, when properly designed and implemented, can deliver much-needed insights in mapping the size, scale and scope of risks. Analytics can provide a basis for root cause analysis and remediation strategies across policies, processes and, ultimately, investments in technologies. But what’s the best way to do this in a world where the volume, complexity, velocity, variety and veracity of unstructured and structured data makes the task of identifying risks with traditional security monitoring systems cumbersome? We are seeing transformation in the way security programs are tackling the identification and analysis of risk. Yo Delmar, vice president of GRC solutions at MetricStream, has identified four key ways security analytics can be used to improve business performance.
Click through for four ways security analytics can be used to improve business performance, as identified by Yo Delmar, vice president of GRC solutions at MetricStream.
Remember that an Analytic is more than a Metric; it provides insights that help the business make decisions. The key difference is that analytics slice and dice the data on an ad-hoc basis in real time or near real time. Metrics, on the other hand, represent numeric information generated by calculations often derived from aggregating vast amounts of data from multiple sources, such as logs, events or transaction data. A metric that is the result of a calculation does not, in and of itself, provide insights.
Make sure security analytics are aligned to the overall organization risk framework. For example, if a key performance indictor (KPI) is based on the number of orders, then revenue affected on orders lost due to security incidents could be a metric of interest to both security teams and the business. The need to present security analytics in terms management can understand and act on is more urgent than ever – and the security analytic model needs to be built in a way that aligns with how the business views risk.
Use security analytics to tell a story that the business can relate to. Share examples of the cost of recent breaches or incidents in your industry and describe the impact in terms that business and risk managers can understand – real business impact – ‘customers were not able to submit online orders for 10 hours’ and/or probable loss magnitudes – ‘the costs to remediate will likely reach $100m given the number of people affected.’ Use security analytics to show trends of increasing exploits against key assets, and demonstrate how your security program has effectively protected sensitive or regulated data and critical business processes. Keep telling the story of how your security program is delivering value. Provide insights backed up by analytics, and use them to justify changes to corporate policy, implementation of stronger controls, and an investment in key monitoring technologies such as identity management and access control.
Big Data analytics can help security teams become smarter, more productive, and better at making predictions by delving into large, diverse and dynamic data sets, and leveraging intelligent analytics languages such as R. Big Data analysis can be used to detect probable threats based on current vulnerabilities, provide analysis of identity and access, correlate events and alerts, and provide meaningful insights into the effectiveness of remediation of security incidents. Patterns of anomalies to normal behavioral performance, IT operations and configuration states, capacity and forecast of IT resources are all potential use cases. Bottom line: Big Data offers the ability to correlate security events in the context of critical business processes, applications and sensitive information. Get connected with your organization’s Big Data program or, if it doesn’t have one, be an evangelist and start it in security.
The 2013 Verizon Data Breach Investigations Report revealed that in 2012, 66 percent of breaches that led to data compromise within “days” or less remained undiscovered for months or more, and that in 69 percent of the cases, a third party discovered the breach. It is statistics like this that drive security teams to remain committed to evolving analytic models that provide insight on how to better protect critical processes and sensitive information.
 Verizon Data Breach Investigation Report, 2013: http://www.verizonenterprise.com/DBIR/2013/
For every risk that surfaces, and for every incident that breaks a threshold, ask yourself this question – is this an improvement opportunity? Look at the area of concern, understand why it is a risk, and work out the storytelling with your business sponsors. Understand the examples from evidence collected, and pool this knowledge for future use. Going up the security maturity curve sometimes seems like the torture of Sisyphus, who was cursed to roll a huge rock uphill only to have it roll back down, daily – but in fact the landscape is constantly changing, and every incremental improvement drives the program to higher levels of agility and value. What cannot be measured cannot be managed or improved. The first step on the journey comes back to metrics, and its wise cousin, analytics.