Editor’s Note: This is the third part of a four-part series featuring an in-depth overview of Infosec’s (Information Security) Unified Security Metrics Program (USM). In this installment, we discuss the effectiveness of the USM program at Cisco.
Information security is all about risk reduction, and risks are notoriously difficult to measure – ask any insurance salesman or actuary. So how do we handle this conundrum for a security metrics program that hasn’t even reached its second anniversary yet?
Peter Drucker, noted business management author, once said, “Efficiency is doing the thing right. Effectiveness is doing the right thing.” Even at this early stage of the USM program, we can see four clear indicators demonstrating we’re doing the right things to improve Cisco’s security posture across the IT organization and Cisco. They include the creation of newly defined partnerships, leveraging existing IT risk management frameworks, developing well-defined feedback mechanisms, and gaining increased support and visibility at the CIO level.
Strong Partnerships
Everyone is responsible for security. InfoSec can’t manage this alone and it relies on the cooperation and expertise from other teams. Shared accountability is essential because without it nothing will change. Part of our success has come from the creation of two newly defined roles–Security Service Primes, who are the Chief Security Officer of their respective IT service area (managers), and Partner Security Architects, who are the Subject Matter Experts (technical leads). Neither is part of the InfoSec organization, but they’re fully trained on security and have broad responsibility to govern security. Designating this virtual team of trusted advisors throughout IT helps the relatively small InfoSec team scale and embed security into the IT organization’s DNA.
Leveraging Existing Risk Management Frameworks
Having a well-defined library of common controls within IT to manage risk is important, particularly in a fast-changing IT environment that includes cloud computing, virtualization, and mobile computing. Cisco’s IT Risk Management (ITRM) uses a universal framework to manage risk globally in the areas of Resiliency, SOx, GRC audits, ISO9001, Cloud and Application Security Providers, and Security.
Risk management reporting dashboards found within ITRM provide tremendous insight and visibility at both the service and application portfolio level. By incorporating security metrics into this ITRM framework, IT functions and service areas can more effectively (and efficiently) make better risk-aligned investment decisions and satisfy regulators, auditors (internal and external) and governance, risk and compliance function requirements and needs.
Feedback Mechanisms
Quarterly reporting systems provide detailed security analysis, such as vulnerability and on-time closure metrics at three different levels: working, management, and executive level to assist these groups in driving remediation efforts, identifying trending activities, and for assessing risk. For IT service owners, these transparent reporting systems are vital to make corrective actions in a timely manner.
This non-punitive approach has increased program adoption among IT service areas and, surprisingly, created a sense of competition between different teams within IT to drive success toward improved performance.
CIO-Level Support and Visibility
Gaining an overall picture of business risk at Cisco, including what’s happening at the IT enterprise level, assists most CIOs in making critical business decisions that can affect the organization’s reputation management, intellectual property, disaster recovery planning, marketing, legal, human resources, and even finance activities.
At Cisco, the USM program is part of a broader CIO initiative called Pervasive Accelerator (PSA) which enables Cisco to apply a common set of security leading indicators across its entire organization. Security metrics obtained from the quarterly ITRM dashboard give the CIO a consistent picture of Cisco’s security posture from disparate IT systems in a consolidated report and enable prompt, responsive interaction for remediation efforts between IT service owners and the CIO. Ultimately, this leads to improved security performance.
Final installment: USM: Lessons learned
Great article. The embedded security roles in other parts of the org is key. Can you elaborate in some of the specifics you’re measuring for metrics from an IR perspective? Have been struggling with that.
Hi Gabe,
Just to clarify before I answer, did you mean Incident Response when you mentioned ‘IR’?