from the pillory to the joneses using peer pressure to improve your security kpis :: metricon 6.5
DESCRIPTION
There is a natural human desire to both not be punished as well as to covet that which thy neighbor has (hence the existence of the well known "thou shalt not…" Commandment). Humans also strongly desire to be rewarded for the accomplishments they make but at the same time would like to be as anonymous as possible. With such diverse characteristics, how could one possibly use something like security metrics to change/channel the right behaviours? Since the most effective metrics programs have a measurable, reportable resulting action component, the way in which this is carried out must be designed in up-front. Given the limited resources in business units and IT areas, this design should focus on the most critical areas first and shift focus as progress is made in individual KPIs. To that end, we present an approach that has an element of the medieval gallows (i.e. shame) as well as an element of "keeping up with the Joneses" (i.e. competition) to improve the effectiveness of concrete risk, security & compliance program goals/controls. We will demonstrate real-world improvements made in the area of policy/standard exceptions as well as anti-virus infections and propose other concrete areas organizations of all sizes can work on in 2012 & beyond to drive critical improvements in their programs.TRANSCRIPT
From The Pillory To The JonesesUsing Peer Pressure To Improve Your Security KPIsBob Rudis & Albert Yin
Mini-Metricon 6.5February 27, 2012
1Thursday, January 24, 13
2Thursday, January 24, 13
http://www.historicalstockphotos.com/images/xsmall/1971_people_locked_in_a_pillory_while_awaiting_witch_trials.jpgUsed With Permission
2Thursday, January 24, 13
3Thursday, January 24, 13
http://gentlemanredux.com/blog/2011/11/24/keeping-up-with-the-joneses/Used With Permission
3Thursday, January 24, 13
4Thursday, January 24, 13
I know you all know this…
4Thursday, January 24, 13
5Thursday, January 24, 13
But, it’s worth repeating…
5Thursday, January 24, 13
6Thursday, January 24, 13
Metrics are supposed to be…
6Thursday, January 24, 13
7Thursday, January 24, 13
Getty Images :: “Comping” & Preview Use License
7Thursday, January 24, 13
8Thursday, January 24, 13
NBC News Footage :: Fair Use
8Thursday, January 24, 13
How To Pick An Area Of Focus
9Thursday, January 24, 13
How To Pick An Area Of Focus
Do you even have data for it?
9Thursday, January 24, 13
How To Pick An Area Of Focus
Do you even have data for it?
Is that data easy to get on a regular basis?
9Thursday, January 24, 13
How To Pick An Area Of Focus
Do you even have data for it?
Is that data easy to get on a regular basis?
Can you trust the data?
9Thursday, January 24, 13
How To Pick An Area Of Focus
Do you even have data for it?
Is that data easy to get on a regular basis?
Can you trust the data?
Is it an area you can measure consistently over time?
9Thursday, January 24, 13
How To Pick An Area Of Focus
Do you even have data for it?
Is that data easy to get on a regular basis?
Can you trust the data?
Is it an area you can measure consistently over time?
Is it actually going to help reduce risk in your environment?
9Thursday, January 24, 13
Candidate #1 : Policy Exceptions
10Thursday, January 24, 13
Candidate #1 : Policy Exceptions
We (Enterprise Security) controlled the process & data
10Thursday, January 24, 13
Candidate #1 : Policy Exceptions
We (Enterprise Security) controlled the process & data
Policy exceptions inherently introduce risk into the environment, hence a great target to focus on
10Thursday, January 24, 13
Original
11Thursday, January 24, 13
Original
WORTHLESS
(Mostly)
11Thursday, January 24, 13
12Thursday, January 24, 13
“So what?”
12Thursday, January 24, 13
13Thursday, January 24, 13
No consequences…
13Thursday, January 24, 13
14Thursday, January 24, 13
14Thursday, January 24, 13
New & Improved
15Thursday, January 24, 13
New & Improved
15Thursday, January 24, 13
New & Improved
ComparisonOver Time
15Thursday, January 24, 13
New & Improved
ComparisonOver Time Aligned To
Risk
15Thursday, January 24, 13
New & Improved
16Thursday, January 24, 13
New & Improved
16Thursday, January 24, 13
New & Improved
Show The Trend!
16Thursday, January 24, 13
New & Improved
Show The Trend!
Focus On Risk!
16Thursday, January 24, 13
New & Improved
Show The Trend!
Focus On Risk!
16Thursday, January 24, 13
New & Improved
Show The Trend!
Focus On Risk!
16Thursday, January 24, 13
17Thursday, January 24, 13
18Thursday, January 24, 13
http://www.geograph.org.uk/photo/630105Attribution-NonCommercial-ShareAlike 2.0 Generic (CC BY-NC-SA 2.0)
18Thursday, January 24, 13
19Thursday, January 24, 13
http://hyperboleandahalf.blogspot.com/Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License
19Thursday, January 24, 13
What Did It Take?
20Thursday, January 24, 13
What Did It Take?
~6 months
20Thursday, January 24, 13
What Did It Take?
~6 months
Constant contact with SBUs
20Thursday, January 24, 13
What Did It Take?
~6 months
Constant contact with SBUs
Tons of documentation
20Thursday, January 24, 13
What Did It Take?
~6 months
Constant contact with SBUs
Tons of documentation
Senior management visibility & support
20Thursday, January 24, 13
What are next candidates?
21Thursday, January 24, 13
What are next candidates?
Repeat virus offenders per-SBU, per-month
21Thursday, January 24, 13
What are next candidates?
Repeat virus offenders per-SBU, per-month
“So what?” => What are these folks doing to keep getting infected? Do the infected users handle/have access to sensitive data? (Loss of Integrity/Confidentiality)
21Thursday, January 24, 13
What are next candidates?
22Thursday, January 24, 13
What are next candidates?
# Windows 7 Systems Deployed &% With Encryption Enabled (per SBU)
22Thursday, January 24, 13
What are next candidates?
# Windows 7 Systems Deployed &% With Encryption Enabled (per SBU)
“So what?” => Primary Concern Of Corporate Legal & OCC (safe harbor loss); Doing a migration to Win 7 and off of competing technology at same time
22Thursday, January 24, 13
What are next candidates?
23Thursday, January 24, 13
What are next candidates?
Internet-facing Vulnerability/Pen-test Metrics(per SBU)
23Thursday, January 24, 13
What are next candidates?
Internet-facing Vulnerability/Pen-test Metrics(per SBU)
“So what?” => For us, Board-level initiativeRef: CIS Security Metrics – Quick Start Guide : https://benchmarks.cisecurity.org/en-us/?route=downloads.form.metrics_guide.100
23Thursday, January 24, 13
