Seven out of 10 websites from the 128 million scanned between January 2006 and August 2007 had critical or urgent vulnerabilities, said a research analyst.
After reading that shocking statistic, the next thought comes to mind is how to put those vulnerabilities and the damage they can cause into the proper perspective for the leaders of your organization, said Andrew Jaquith, senior analyst at Forrester Research, during his keynote address at securitymetrics.org’s Metricon 5, the fifth annual conference dedicated to security metrics.
Following that same vein, Richard Seiersen, security principal at the healthcare giant Kaiser Permanente said security practitioners need to stay ahead of the question executives will ask after they find out they have vulnerabilities they must fix with additional investments in technology and people.
“The first question you’ll get is ‘so what?'” Seiersen said. “They want you to tell them ‘why this information is important to me?’ ” Seiersen’s job is to keep the massive pile of medical records and other patient information from getting stolen through system vulnerabilities attackers try to exploit.
His approach is to present security metrics in the “fourth dimension.” There are three standard dimensions metrics, he said. They are value, time and risk. To get beyond the “so what” question the practitioner must be able to offer clear examples of not just what and where the risks are, but what kinds of valuable business resources are under threat, which in turn will help executives understand the value in fixing them. Time is about when you need to get something fixed.
He said the next question will be: “What are you doing about the problem?”
Enter the fourth dimension of security metrics: Effectiveness.
Seiersen cautioned practitioners to never use tech talk language like: “Out-of-cycle remediation should decrease and there should be high correlation with exploitability and risk, etc.”
Rather use more understandable language: “These actively exploitable flaws [threaten] Internet access and our critical business applications and the solution must be deployed in one business day by the end of the fourth fiscal quarter.” Putting it in those words is more direct and makes it clear why the leaders should make investment and deploy them quickly.
When it comes to measuring the success rate of actions taken and where the organization needs to go from there, Seiersen said to use a color-coded graphic that captures the four dimensions and includes green, yellow and red to demonstrate progress and failure.