Friday, September 7, 2012

Metrics Handy to the CSO

By Shafaq Rizvi

Managing a business is intricate and hard-hitting than establishing a business, for it requires the managers and chief officers of a company to keep their eyes peeled and spy over the performance and policies of the company. It is, rather, checking if a company’s workforce conforms to the standards and rules set by the company and whether the performance and activities carried out are in compliance with the benchmarks set by the company. Therefore, setting standards and creating measures for managing and examining assets, business activities, and performance of employees of a company is a phenomenon, which is crucial and necessary for companies, particularly the giant companies. These policies and standards are actually the metrics that may come in handy to chief operating officers of a company.

However, there is something more significant than scanning and managing the employees, their performance, etc. This crucial part is ensuring and affirming the security of the entire organization, which encompasses digital security, physical security, and safety of employees, assets, and facilities, but who plays this imperative task? This emissary not only avows the above mentioned things, but works closely with future business strategies and plans. In addition to this, this agent looks for loss prevention, privacy, risks involved, and fraud prevention, hence is responsible for the corporate security as a whole. This spying agent or intelligence officer is the Chief Security Officer (CSO) of a company. The information above tells what CSO does. However, how he does that is yet to know.

The CSO’s role is not limited to a specific department. He works for the whole company and therefore it is his job to optimize the performance and minimize the risks involved in the business activities and functions, but what helps in assessing the risks? What assists in measuring and judging the performance of organization and identifying the security problems?

Metrics: The Key

A CSO is responsible for ensuring security. To help him to achieve this goal there are certain measures, policies, and standards playing a supporting role. These metrics comprise of financial metrics, operational metrics, security metrics, etc.

Security Metrics and Security Issues

Information is one of the most important assets of a company. How it is accessed and by whom is one of the major concerns of a CSO. However, the information security does not end here. It entails information storage, information keeping, information handling, information distribution and circulation. Loss of data or misuse of information can give acute myocardial infarction to the board of directors of the company and put a CSO in trouble, but is there any way to prevent this from happening?

At an organizational level, data protection is possible by integrating cloud security, a system that is in control and operated by a third party keeping track and record of all the information and websites that are accessed. However, cloud security needs evaluation as well. Another way to look at the security is to see how well one is protecting his company against the core information security threats. The first and foremost duty of a CSO is to make sure that the systems used by the employees are protected. Any attacks from viruses such as malwares and accidental downloads of spywares can affect the computers and stored data. To avoid this situation, the simplest metric is to use antivirus softwares. However, it is important to scan all the systems from time to time. These antivirus softwares act as security tools, but it is important to make sure the range of coverage of devices and systems by these tools. It has been suggested that ideal coverage range is 94% to 98% yet below 94% can be a menace. These antiviruses detect and indicate to what extent the devices are protected.

Another useful metric can be Password strength.[1] With this metric, it is possible to minimize risks by examining and filtering week and bad passwords and making them stronger. Furthermore, it can help in identifying the feeble spots where main systems use default passwords. However, viruses, hacking, spyware and Trojans are not the only security threats. The organizational security and security of their systems is at vulnerable to more severe hazards and damages and it is essential to make sure that organizational is protected technically as well as physically. More intense damages and losses can occur because of burglary, fire, theft, natural disasters, terrorism, and wreckage. The physical security can be achieved by hardening sites against environmental disasters and this can be done through fencing, water sprinkles, multiple locks, etc. Similarly, cameras, heat sensors, alarms, and smoke detectors form the notification systems. Nevertheless, these measures can be taken to achieve physical and technical safety, but these measures act as solutions and medicines to security problems and the solutions are devised on the basis of the security measurements, risk assessments, and other statistics.

A threat is accompanied by risk and therefore, the risks should not be overlooked as something mundane, but how can a CSO measure these risks and suggest a solution on the basis of the safety situation, budget, and resources?

There are quantitative and qualitative methods or metrics for measuring and assessing the safety situation and risks involved. Security surveys are used by CSO to target some assets for assessment. These surveys are conducted with the viewpoint of minimizing risk. With the security surveys, a CSO is able to recognize and consider the vulnerabilities of an asset and therefore can protect the assets in a better way. The security metrics charts are helpful in monitoring these security surveys and the related benefits and costs. Security risk matrix/assessment prototyping enables the CSO to know the risk levels on the basis of thoughts and perceptions of people regarding perils. This information from people and experts operating these systems can be valuable for the CSO. However, assessing risks through risk ratings provided by the experts can be backed by further probing about the situation. This further probing implies using ‘Why’. For instance, one can ask why a particular system is more vulnerable as compared to other systems, etc. By doing this, one can respond to the situation effectively. Another qualitative metric is to measure differences in agreement. The area receiving positive comments will need less attention and areas, which receive clash of opinions and disagreement, will most probably indicate the problem area or sensitive area. Nevertheless, measuring risks qualitatively does provide in depth information and holistic viewpoint, but will these metric be enough for measuring risks, systems’ vulnerability,  and predicting threats?

To make the measurements and data more explicit and authentic, quantitative metrics can be quite obliging.

System vulnerability statistics and incident statistics serve as the valuable data for obtaining information regarding exploits on the network and incident statistics tell the latest security status. Annualized Loss Expectancy (ALE) is a widely used metric, which refers to expected losses that may occur in case of security incidents. Another metric is Return on Investment (ROI), which calculates the return/benefit/profit on the amount invested. Total Cost of Ownership seeks to calculate the money that must be used up on the system from initial purchase to final disposal i.e. throughout the entire ownership lifecycle.

Although there are quite many security metrics available to security officers, however it is not a surety if they are completely reliable or not. ROI becomes meaningless when the data provided is unreliable. Similarly, ALE doesn’t help when it comes to assessing risks related to intangible losses. Won’t the CSOs vacillate at the time of choosing these metrics when some are inaccurate and some are unreliable? Moreover, it is nerve-wrecking for the CSOs to compare the metrics and choose the most appropriate metric especially when they are responsible for ensuring and managing security of the systems and firms.

Business Benefits of Keeping the CSO In Loop?

It has been said earlier that all businesses and organizations are exposed to some sorts of risks and security issues and it is very essential to have acquaintance with the metrics with which security issues and risks can be mitigated. However most important of all is to have one who knows the risks and can look after security problems; evaluates and responds to the perils as soon as they appear; and resolves the issues using metric. How would metrics help a company if no one is there to make use of it?

CIOs around the world in general and in local industry in particular assert greatly on the need of having someone who can guard the companies against the potential threats residing inside and outside. While talking to Team CIO Pakistan, many CIOs from the local industry have indicated a requirement of a CSO.  They solemnly believe and accept that risks are always there, but if there is someone that can take the responsibility of the controlling security problems and risks, the safety situation can be improved.

Mr. Shahid Sumar, Senior Vice President of IT department at Summit Bank suggested that risks are something that one is not aware of. Thus, he indicated that someone like CSO needs to be there in the company who can keep an eye on the hazards that may affect the information of the company and can lead to several losses. According to him, bringing 100% security in the organization is an ideal situation, which is not possible especially in the times when cyber crimes and hacking takes places extensively. However, these issues can be tackled if a company arranges a security officer.

In ensuring security, safety solutions, such as various softwares and applications can play an important role. However, it is important that these are developed and deployed on the basis of the safety needs of the company, but at this stage, won’t a company require someone who can evaluate these solutions before implementing them? Mr. Asif Ali Kazi, IT Head at Szabist, agreed that safety is the biggest trepidation of organizations today and all look for smartest and safest solutions. In his opinion, no solution, guarantees complete safety, but if there is someone in the company who knows stays abreast of the internal and external threats then together they can enhance the security conditions of the company.

Where risk management has become crucial especially among the financial institutions like banks, a need of CSO and IS policies has also emerged. Mr. Mudassir Khan, CIO at HBL, while talking to Team CIO Pakistan told that since the operational risks can be hazardous, it is important that a company establishes certain policies and takes effective measures to minimize it. Won’t the company be requiring a person who could develop effective policies and take initiatives to minimize those risks?

Having a CSO can definitely aid the company in reducing risks and enhancing Information security. Not only this, his contribution in enhancing the security can lead to minimum losses which implies more gains in the form of ROI and reduced costs.

Powered By | Full Text RSS Feed | Amazon Plugin Wordpress | Android Forums | Wordpress Tutorials


Post a Comment