Editor’s Note: This is the first part of a four-part series featuring an in-depth overview of Infosec’s (Information Security) Unified Security Metrics Program. In this first installment, we discuss the value of security metrics at Cisco.
What does the film Moneyball have in common with security metrics? Turns out—plenty. In Moneyball, the storyline focuses on the Oakland A’s baseball team’s quest to assemble and field a competitive team. Fiscally constrained, their general manager uses a new approach towards scouting, analyzing and securing players through the use of metrics.
The general manager’s hypothesis was that player performance statistics, such as stolen bases and runs batted in (RBIs) focus on speed and contact. But other metrics, such as on-base percentage and slugging percentage have a greater influence on the team’s main goal—scoring runs and winning games.
Skeptics scoffed at the data’s reliability as a consistent performance indicator but, much to everyone’s surprise, the data held its own and the A’s became a viable competitor. By keeping their eyes squarely focused on the real problem—protecting and safeguarding their franchise’s future—the A’s used simple, meaningful metrics to manage risk, guide their operating and decision-making practices, and strengthen their brand.
There are many good lessons learned about metrics using this baseball analogy. Good metrics have three primary attributes, consistency, cost-effectiveness and significance. Cisco’s Information Security (Infosec) team, while not a baseball team, applies similar fundamentals to protect Cisco’s IT infrastructure against attacks. One of its key governance programs, Unified Security Metrics (USM), is part of a broader CIO Initiative called the Pervasive Security Accelerator (PSA) which enables Cisco to apply a common set of security leading indicators across its network.
In fact, USM was specifically designed to promote continuous improvement, measure security posture of an IT service over time, and provide a two-way reporting, feedback mechanism to IT service owners and leaders on a quarterly basis. Increased visibility of these security indicators provide critical system vulnerability intelligence, which can be used for preventative or prescriptive remediation; risk management and security posture assessment; improved security hygiene; and operational/business decision-making activities. More importantly, the introduction of USM represents a paradigm shift at Cisco. Security issues are now handled much more strategically than reactively, and they give organizations, like IT, expanded operational control and flexibility in managing their security investments, actions and processes.
Meaningful metrics, as illustrated in the Moneyball example, can literally transform an organization and solve real business problems. They also do not need to be sophisticated. In fact, the 2013 Verizon Security Breach Report confirmed that “99% of all security compromises required moderate-to-little sophistication.” Second, you can’t manage what you don’t measure. The policies Cisco uses for ensuring hygiene—patching systems, building security in and managing vulnerabilities—have existed for many years; however when we first started measuring these existing activities, very few teams were doing it well. Today, with enhanced measurement and reporting activities through USM, we’ve improved our vulnerability on-time closure rate from 15% to 85% showing expanded visibility motivates people to do their part.
At Cisco, USM combines multiple sources of individual data to create higher-value actionable business metrics and decision-making capabilities to protect the company’s data, business processes, operational integrity and brand from security incidents. For all of us at Cisco—that’s a home run!
Next installment: USM: Where do you begin measuring?
Interesting!
Looking forward to the next instalment
Hi, Sujata –
Nice post! I remember listening to Moneyball on my way up to a security con in Toronto in 2004 and all my light bulbs started going off. Great, eye-opening stuff. I called it my favorite security book of the year.
Here’s a question for you – you mention that great recognition that RBI doesn’t matter if it doesn’t contribute to scoring runs. So, what is the equivalent of runs scored in infosec?
Regards,
Pete Lindstrom