Security metrics are crucial for any security program, especially when security budgets are being discussed. Proving the ROI of security tools and the deliverable of security talent is sometimes challenging and often put CISOs leaders in tough discussions. As traditional IT-Security workflows and processes evolve to better serve the growing security needs, new metrics are increasingly adopted to address the threats and measure productivity.
Dark Reading's Ericka Chickowski discussed this topics with several infosec leaders, among them Cybereason's CEO and Co-Founder, Lior Div.
Out of the ten metrics mentioned in the article, we recommend that CISOs start incorporating our 4 recommended InfoSec metrics into their measurement program:
1. False Positive Reporting
Tracking the False Positive Reporting Rate (FPRR) can help put the work of lower-level analysts under the microscope, making sure that the judgments they're making on automatically filtered security event data is sifting out false positives from indicators of compromise before they escalate to others in the response team.
Despite the implementation of automated filtering, the SOC team must make the final determination as to whether the events they are alerted to are real threats. The reporting of false positives to incident handlers and higher-level management increases their already heavy workload and, if excessive, can de-motivate and cause decreased vigilance."
A high FPRR could indicate better training is needed from Level 1 Analysts or better tuning of analytics tools. All too often Level 1 analysts lack a good understanding and visibility to incidents cause and therefore escalate false alerts to Level 3 analysts. This causes waste of expensive resources.
2. Incident Response Volume
Tracking the total number of incident response cases opened against those closed and pending will help CISOs identify how well incidents are being found and addressed. This shows that incidents are being identified along with remediation and root cause analysis, which is critical for continuous improvement of an information security program.
3. Fully Revealed Incidents Rate
This metric can also help get a bead on the effectiveness of the incident response and security analyst functions within a program. Measure: what is the rate of incidents handled by security team into which they have a full understanding of the reason for the alert, the circumstances causing it, its implications, and effect?
The lower the rate compared to overall volume of opened cases will show gaps in visibility and could trigger an ask for more investment in human resources or tools.
4. Percentage Of Security Incidents Detected By An Automated Control
One way to justify spend on new security tools is to start tracking just how many of the overall true security incidents detected by the organizations are done through an automated tool. This is a good one because it not only encourages you to become familiar with how incidents are detected, it also focuses you on automation, which reduces the need for 'humans paying attention' as a core requirement. It also makes it easier to lobby for funding from the business, since you can make the case that automation reduces the cost of security while lowering the risk of harm to the business from an unnoticed incident.
Read the whole article here.
