What information security KPIs are you tracking? Are they tied specifically to your organization’s business goals? If not, consider that using predictive business performance metrics could help increase your organization’s profitability—by as much as 20% over three years, according to one Gartner study.
To help you develop more relevant security performance indicators, here are some suggestions from the experts:
Make them meaningful to executives Start by considering what matters most to executives:
Complying with regulations and contractual obligations
Managing risks
Don’t focus on cost metrics “Security guys are always talking about cost,” said Steve Durbin, managing director of the Information Security Forum (ISF), in a CIO magazine interview. “If we realign this, the security guys can now go to the business and say, ‘Look, if this is what is important to you, this is the role I can play in helping you protect that, but I don’t have the funding for a variety of reasons.’ The business can then make the call as to whether to find the funding for that problem. It’s no longer the security guy’s problem, it’s the business’s problem.”
Use leading vs. lagging metrics A lagging indicator measures actual results, our outputs, so it’s too late to make corrections or improvements. A leading indicator looks at activities necessary to achieve your goals, so they’re essentially inputs that provide information needed to intervene and change course for the better. For example, the number of viruses reported after a new software implementation is a lagging indicator, whereas the number of virus updates implemented prior to implementation shows action taken to drive launch success and improve user productivity.
Evaluate the effectiveness of your proposed metrics Thankfully, there’s a tool for that. The ASIS Foundation sponsored a major security metrics research project, and one of the outcomes was a Security Metrics Evaluation Tool that security managers can use to assess the quality of specific security metrics. The written tool helps you analyze the effectiveness of a metric against nine criteria, including its relevance to the organization’s strategic mission, how easily it can be communicated and its reliability. The tool is in the Appendix of the research report, “Persuading Senior Management with Effected, Evaluated Security Metrics.”
Leaders from Japan, Canada, France, Germany, Italy, the UK, and the US, as well as representatives of the European Union, gathered for the G7 Ise-Shima Summit in Japan May 26-27 to address major global economic and political challenges. Notably, for the first time at a G7 Summit, their discussions included cybersecurity. In fact, the “G7 Ise-Shima Leaders’ Declaration” released May 27 contains several consensus items regarding cybersecurity, captured as a standalone topic, reflecting the critical importance and geopolitical consequences of this issue in today’s world.
Among other things, the Leaders’ Declaration endorses the G7 Principles and Actions on Cyber, which promote security and stability in cyberspace as well as the digital economy, and commits the leaders “to take decisive action” regarding those Principles. Cybersecurity came up not only in this Summit, but also in an array of related G7 meetings leading up to it this spring: the G7 Foreign Ministers’ Meeting April 10-11, the G7 ICT Ministers’ Meeting April 29-30, the G7 Finance Ministers and Central Bank Governors Meeting May 20-21, and the G7 Energy Ministerial Meeting May 1-2. This consistent discussion reflects governments’ growing concerns over the malicious use of cyberspace by hackers, criminals, state actors, and terrorists, as well as emerging global trends that challenge an open and interoperable cyberspace—all of which threaten our critical infrastructure, digital economy and economic growth.
Given growing concerns over the current economic downturn in many countries, it makes sense that the Leaders focused on the economic contribution of cyberspace, and confirmed that “an accessible, open, interoperable, reliable and secure cyberspace” is an “essential foundation for economic growth and prosperity.” Indeed, cyberspace is a fundamental enabler of our digital lifestyle, although malicious actors can use it to threaten our daily lives, economies, and national or international security.
This vision of cyberspace as a foundation for progress is shared by the G7 host country, Japan, whose Cybersecurity Strategy 2015 was the first Japanese national information securitystrategy to recognize that cyberspace is also a frontier for innovation and sustainable economic growth.
We welcome the G7 Leaders’ decision to launch a new G7 working group on cyber to enhance policy coordination and practical cooperation to promote security and stability in cyberspace. The Declaration does not say who will populate the working group. While we expect the core members to be government officials, it is crucial to adopt a multi-stakeholder or “Track 1.5” approach to incorporate industry input. Governments and the private sector alike seek greater cybersecurity and resilience, and it is necessary to combine government insights about policy and national strategy with industry knowledge about technical innovation for cyber threat prevention and defense. All players must participate to ensure that the envisioned coordination and cooperation is practical and feasible.
It also is commendable that the G7 is focusing on cybersecurity in critical industry sectors dependent on cyber infrastructure, namely finance and energy. The Declaration highlights the work of the G7 Cyber Experts Group in the financial area to foster cybersecurity and enhance cooperation among G7 countries in this arena. This is important, given the ongoing trend of cybercrimes targeting the financial sector, such as the theft of $81 million from Bangladesh’s central bank in February 2016.
In the Joint Statement from the G7 Energy Ministerial Meeting earlier in May, the Ministers committed to advancing resilient energy systems including electricity, gas and oil, in order to respond effectively to emerging cyber threats and to maintain critical functions. The usefulness of this commitment is evidenced by the power outage, caused by cyber-attacks, which affected 225,000 people in Ukraine in December 2015. Such cyber sabotage against critical infrastructure can potentially disrupt medical services and other key social services, leading to the loss of lives. These areas of focus demonstrate the G7 countries’ concern about the potential damages to these sectors of critical infrastructure, which can sap competitiveness, cause a loss in business and consumer confidence, and dampen the countries’ economic strength and security.
Finally, it is meaningful that this heavy emphasis on cybersecurity was made at the series of G7 meetings hosted by Japan. We are sure that Japan played an important role in ensuring this emphasis. Japan has its own internal interests, including the security of the electric power industry in the wake of the Great East Japan Earthquake in 2011 (which led to catastrophic consequences with the cascading impacts from the Fukushima Daiichi nuclear power plant accident). As the host of the G7 Summit 2016 and the upcoming Tokyo Summer Olympic Games in 2020, Japan is expected to set an example of cybersecurity and the protection of critical infrastructure. Best practices and new partnerships will be born from the lessons.
The next steps for the G7 leaders and the new G7 cyber working group are to figure out how to overcome silos and facilitate smooth communication across borders, among key players in government and industry. While bureaucratic stove piping is not unique to cybersecurity, the repercussions can be more problematic when cyber attacks or threats affect multiple sectors, governmental agencies, and countries. Given that attackers will always try to exploit the weakest link, the scale of global Internet interconnectivity means that one country’s robust cyber defenses – or economic prosperity – may be weakened if its counterparts fail to protect themselves. This could lead to information breaches and compromised systems or networks globally.
The call for a multi-stakeholder approach to cybersecurity across borders is not new, but has been slow to gain solid footing. It could be that we have lacked clear goals or deadlines. The Tokyo Olympic Games 2020 would be a golden opportunity to create a prototype of a Track 1.5 cybersecurity dialogue and information-sharing framework. Only four years away, the event has a wide variety of stakeholders, including the G7 countries. Such a prototype can help pave the way to more efficient global cooperation on cybercrime and critical infrastructure protection.
This is the second in a series of blogs co-authored by Mihoko Matsubara and Danielle Krizaimed at introducing Japan’s cybersecurity efforts and their significance to a global audience, including governments, global industry, and other thought leaders. Subsequent blogs are expected to cover additional thoughts on the METI/IPA Cybersecurity Guidelines, Japan’s role in global cybersecurity capacity-building, cyber threat information-sharing and prospects for Japan, the cybersecurity ramifications of planning for the Tokyo Olympic Games 2020, and other topics.
Did, you know you can quickly search AutoFocus to look for samples with certain artifacts? Watch this short clip to see Patricia Cruz, Technical Writer at Palo Alto Networks, demonstrate this feature in action!
This video is the first in a series of bite-sized AutoFocus tutorials, tips, and tricks from the Technical Publications team. Want a video for a specific feature? Leave your suggestion below or email us at documentation@paloaltonetworks.com.
Recently, we have noticed a common observation shared by many of the senior executives at our customers. With the increased awareness of cybersecurity as a business challenge, there is a commensurate need to discuss cybersecurity in business terms, specifically around how security can enable organizational agility, not slow it down. At Palo Alto Networks, we have focused on meeting this need with a variety of efforts, and recently took another important step in this regard.
Last week, with our new partner PwC, we released a jointly developed framework to help board members, senior executives, and technical executives (e.g., Chief Information Officers and Chief Information Security Officers) organize their corporate cybersecurity strategies around breach prevention. To position companies to prevent successful cyberattacks and enable organizational agility, we believe organizations must:
Identify organization-specific critical assets, priorities and related governance structures.
Monitor and analyze all traffic to establish visibility of all users, applications and content traversing corporate networks, clouds and endpoints, in order to define and refine organizational information security policies.
Protect from attack by enforcing policy to reduce the organizational attack surface and prevent known and unknown threats.
Detect and respond to the inevitable, successful attack in a manner that incorporates mitigations and protection mechanisms to prevent similar attacks in the future.
Chad Kinzelberg, Palo Alto Networks SVP for Corporate and Business Development, and David Burg, the Global Leader of the Cybersecurity Consulting practice at PwC, recently hosted a webinar on this framework. It includes practical applications of how the framework can help meet two increasingly crucial business needs: securely enabling adoption of cloud technologies and preventing advanced persistent threats. You can view this webinar on demand in ourBrightTalk portal.
We invite you to check out the framework and read the white paper, which discusses the framework in greater detail, and we welcome your feedback. How can this approach help your business prevent successful attacks to securely enable agility and productivity?
Gartner’s 2016 Magic Quadrant for Enterprise Network Firewalls has been released, and Palo Alto Networks is proud to be positioned in the Leaders quadrant for the fifth straight year.
We’re thrilled that Gartner researchers continue to highlight both our ability to execute and the completeness of our vision. Once again, we are one of only two vendors distinguished as Leaders in this space.
Over 30,000 customers in 140 countries have chosen Palo Alto Networks to realize the benefits of a true next-generation security platform, safeguard critical assets and prevent both known and unknown threats. I invite you to download the full 2016 Magic Quadrant for Enterprise Network Firewalls report here:
DISCLAIMER: This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available from Palo Alto Networks at http://go.paloaltonetworks.com/Gartner2016. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.