Tips for Using Metrics to Build a Business-driven Threat Intelligence Capability
By Lisa Young, CISA, CISM
Recent high-profile data breaches and cybersecurity incidents in the news may cause a security or risk manager to reevaluate whether or not the information from current threat and vulnerability alerts is sufficient to identify the appropriate action to take. So, how do you prioritize the threats and vulnerabilities that are most important? And, how do you provide assurance that your security program is managing and mitigating the threats that have the greatest potential impact on your business objectives? Consider rethinking your current threat management strategies and tips for building an actionable threat intelligence capability.
Intelligence is more than just having lots of information; it is using data analysis, situational awareness, meaningful metrics and business context to understand the threat and, based on the organization’s risk profile, identify the appropriate action to take. Effectively synthesizing the myriad data sources available from government and open-source threat information feeds, vendor data subscriptions, information sharing programs and intelligence service providers requires the organization to develop the following:
- Defined strategic and business objectives—Prioritization of security and risk metrics must be tied to business outcomes; otherwise, why are resources being spent on collecting and reporting them?
- Questions that a metric will answer (based on business objectives)—If the information being collected does not inform a decision or investment, cause someone to take action, or change a behavior, then why is it being collected? Developing a direct relationship between the desired business outcomes and the underlying security and risk management activities provides a justification for investment in continuing such activities.
- A robust understanding of the critical assets that support business objectives—People, information, technology and facility assets are only valuable in the context of delivering the business services and products that meet defined objectives. Remember, showing the value of the security and risk management program with metrics provides the ability to inform decisions based on real data.
- Identified risk to meeting defined objectives—Accountability for managing risk that affects objectives is owned by the business area, not IT. Providing risk metrics to business leaders shows the direct impact of the actions the security team is taking on the business objectives.
- The ability to define, collect, analyze and report data—Organizations may already have some of these abilities if they are using a security information and event management (SIEM) system, but it may be necessary to develop additional data synthesis and analytic capabilities depending on the objectives and risk that need to be addressed or the questions that need to be answered.
An organization cannot expect to acquire all the threat intelligence it needs to respond to the evolving risk landscape without developing critical analysis capabilities. The first step in this process is to ensure that security and risk programs are defined in terms of strategic and business objectives.
If a business-driven measurement approach appeals to you, consider enrolling in the “Measuring What Matters” workshop at the upcoming North America Information Security and Risk Management (ISRM) Conference. The workshop is designed to take an organization’s business objective, supplied by the participant, and methodically develop questions, indicators and metrics that support the business goals. More information can be found on the North America ISRM 2014 Presentations and Descriptions page of the ISACA web site.
Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.
The Race Is On…Participate in the Knowledge Center!
The Knowledge Center chapter participation contest officially kicked off on 1 June with more than 60 chapters participating. Chapters have a chance to win a guest speaker appearance in 2015, paid for by ISACA. If you are a member of a participating chapter, it is time for you to help advance your chapter’s standing. When you earn points in the Knowledge Center, your chapter earns points. Earn points by:
- Joining a topic community
- Starting or responding to discussions
- Rating discussions
- Adding documents or links
- Adding colleagues
The top 10 small/medium chapters as of 18 August are:
- Karachi (Pakistan) Chapter, 109 points
- Santo Domingo (Dominican Republic) Chapter, 93 points
- Dhaka (Bangladesh) Chapter, 83 points
- Springfield, Missouri (USA) Chapter, 75 points
- Lahore (Pakistan) Chapter, Mauritius Chapter, 73 points (tied)
- Venezuela Chapter, 68 points
- Vijayawada (India) Chapter, 61 points
- Jeddah (Saudi Arabia) Chapter, 60 points
- Ibadan (Nigeria) Chapter, 59 points
The top 10 large/very large chapters as of 18 August are:
- Ireland Chapter, 129 points
- Riyadh (Saudi Arabia) Chapter, 66 points
- New Delhi (India) Chapter, 58 points
- Hyderabad (India) Chapter, 48 points
- Belgium Chapter, Istanbul (Turkey) Chapter, 46 points (tied)
- Austria Chapter, 45 points
- Pune (India) Chapter, 44 points
- Bangalore (India) Chapter, 43 points
- Lima (Peru) Chapter, 42 points
Is your chapter in the top 10? It can be if you and your colleagues participate in the Knowledge Center.
Becoming More Familiar With the Risk of Everyday Life
Wilfredo Sillerico Galvez, CISA, CISM, CRISC, Information Security Specialist at La Boliviana Ciacruz, Shares His Experience as a CRISC
Wilfredo Sillerico Galvez is one of only five Certified in Risk and Information Systems Contro (CRISC) professionals in Bolivia and he experiences a number of advantages from holding the certification. “The best parts of being a CRISC are being able to perform better as a professional by demonstrating the confidence gained by earning an international certification and being part of an outstanding group of professionals specializing in information systems risk. I have been able to expand and improve my professional contacts within and outside of my country.”
Risk is a major part of Sillerico’s life because of his career, but he finds that everyone encounters risk and has to find ways to combat it. He believes certifications such as CRISC help people better address all risk. “Identifying vulnerabilities and threats is part of everyday life for any person in any activity and it happens almost unconsciously,” he says. “Having some skill in properly identifying and handling areas of risk and threats allows me to perform certain actions to help reduce the likelihood or impact of identified threats daily. It certainly helps bring more order and safety to my life.”
Sillerico knows that although many people do not work directly with risk, all employees are responsible for how their actions affect an organization’s security. “In the chain of information security, the user remains the weakest link. The big challenge is to make users aware of the risk they may be creating,” he says. “CRISC professionals must anticipate this behavior, identify the most significant risk and make efforts to strengthen controls relating to this risk.”
In addition to the professional benefits of the CRISC certification, Sillerico’s involvement with ISACA has provided him with many leadership opportunities. And as a leader of the ISACA La Paz (Bolivia) Chapter, Sillerico helped organize the chapter’s first international event, Ira. Jornada Internacional ISACA Bolivia “Full Day.” On 19 August, audit, risk, governance and security professionals from around the world gathered to share their knowledge with event attendees.
To learn more about CRISC and ISACA’s other certifications, visit the Certification page of the ISACA web site.
New Cybersecurity Resources Available
ISACA has issued new cybersecurity-related publications. Increases in cybercrime are driving the need for organizations to implement cybersecurity programs, and these recently released publications relate cybersecurity implementation with regulatory guidelines.
ISACA has released the European Cybersecurity Implementation Series to help organizations implement European Union assurance-related directives on cybersecurity. The 4-paper series aligns with European requirements and good practices. The papers in the series are: European Cybersecurity Implementation: Overview, which provides a high-level look at implementing cybersecurity programs that adhere to existing laws; European Cybersecurity Implementation: Assurance, which provides guidance on making cybersecurity assurance a key component of internal control; European Cybersecurity Implementation: Resilience, which focuses on the convergence of resilience and cybersecurity; and European Cybersecurity Implementation: Risk Guidance, which examines the risk management and guidance aspects of cybersecurity. The papers are available as complimentary downloads.
ISACA, along with many other international organizations, participated in creating the US National Institute for Standards and Technology (NIST) cybersecurity framework (CSF). The NIST Framework for Improving Critical Infrastructure Cybersecurity contains certain principles from the COBIT framework. Implementing the NIST Cybersecurity Framework is intended to assist organizations with understanding steps for the implementation of the framework using ISACA methods and approaches. The book is available in both PDF and print format.
Additional information on recent and upcoming research projects is posted on the Current Projects page.