1. Info-Tech Research Group1 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2015 Info-Tech Research Group Inc. Implement and Optimize an Effective Security Management Metrics Program Make your security analytics useful for governing your business operations & security program. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997 - 2015 Info-Tech Research Group

2. Info-Tech Research Group2 2 This Research is Designed For:This Research Will Help You: This Research Will Assist:This Research Will Help You: This Research Is Designed For:This Research Will Help You: This Research Will Also Assist:This Research Will Help Them: Our understanding of the problem A Chief Information Security Officer (CISO) who is dealing with the following: Requests from the business to provide hard evidence of effective security processes and compliance efforts. Audit requirements for visibility into current controls. Finding an answer to “Are you investing effectively while also providing a secure technology environment for the organization?” Understand the value of metrics Right-size a metrics program based on your organization’s maturity and risk profile Provide a roadmap to grow your program Develop strategies to effectively communicate the right metrics to stakeholders Business stakeholders who are wondering: Are we investing properly in security? Where are the areas we need to improve on? Are our security investments working effectively to secure our organization? Become informed on the metrics that matter to them Understand the investment in security is an investment in the business Feel confident in the progress of the organization’s security strategy

3. Info-Tech Research Group3 3 An organization’s security details are quickly becoming everyone’s business Attention security officials, it’s your time to shine. At first, security was a topic that C-level executives almost turned the other cheek to, and now we’re seeing a spotlight turned directly on it. The Ponemon Institute predicts that increased interest in security from C-level executives will be one of the top trends this year, only growing in significance in the coming years. …of Ponemon expert respondents voted that C-level stakeholders will put security as a priority and view it as a “competitive advantage” in the next three years. 59% …of Ponemon’s expert panel anticipates that security officials will discuss security regularly with C- level executives within the next three years. This is a significant increase from today’s statistic: only 22% of respondents say their security official alerts business leaders to cybersecurity issues, etc. 66% Ponemon Institute. "2015 Global Megatrends in Cybersecurity." February 2015 As security becomes more of a priority, security leaders need to establish more business-friendly methods of presenting pertinent security strategy- related information. Enter metrics. Metrics vs. measurements: o Metrics are measurements that are compared to a baseline. Metrics help you determine what is working well and what needs improvement within your security policies, processes, and technology. While the raw data offers insights to you as an IT/security professional, the key is to find important correlations on how it can apply to the business as a whole. It’s all about context. For example: o Metric = reduced # of incidents last year o Business correlation: increased overall security in addition to reduced interruptions to customer service time, which meant overall improved business performance The bottom line is… Where do metrics fit in?

4. Info-Tech Research Group4 4 IT professionals are not the only ones driving the need for metrics Executives get just as much out of management metrics as the people running them. 1 1 2 2 3 3 Metrics assuage executives’ fears Metrics answer executives’ questions Metrics help to continually prove security’s worth Metrics help executives (and security leaders) feel more at ease with where the company is security- wise. Metrics help identify areas for improvement and gaps in the organization’s security posture that can be filled. A good metrics program will help identify deficiencies in most areas, even outside the security program, helping to identify what work needs to be done to reduce risk and increase the security posture of the organization. Numbers either help ease confusion or signify other areas for improvement. Offering quantifiable evidence, in a language that the business can understand, offers better understanding and insight into the information security program. Metrics also help educate on types of threats, staff needed for security, and budget needs to decrease risk based on management’s threat tolerance. Metrics help make an organization more transparent, prepared, and knowledgeable. Traditionally, the security team has had to fight for a seat at the executive table, with little to no way to communicate with the business. However, the new trend is that security is being invited before they have even asked to join. This trend allows the security team to better communicate on the organization’s security posture, describe threats and vulnerabilities, present a “plan of action,” and get a pulse on the organization’s risk tolerance.

5. Info-Tech Research Group5 5 Differentiate terms used in the industry Metrics and analytics both give visibility into your operations, but they have different uses, helping make data informational. Analytics are performed on metrics extracted from controls to gain insights. Metrics are tangible data points extracted from hardware, software, and security devices. Analytics Metrics Typically in raw form and transformed into dashboards, plots, and graphs Can be compared and analyzed to other controls and over time Provide basic insights based on past data Provide an inside perspective Used to answer strategic questions Used to anticipate future data or uncover root cases underlying metrics Provide an outside perspective Identify trends and correlations so that metrics can be understood and intelligent next steps can be chosen When deciding which metrics to track, consider: What type of intelligence feeds do we have to derive performance? For example, do we have a SIEM solution? Management metrics demonstrate the effectiveness of controls and processes to justify spend and future security initiatives. This is the focus of this research project.

6. Info-Tech Research Group6 6 Situation Information security office proactively provided the driver for metrics because it identified the need for improved business, executive understanding, and support of investments in security. Australian company took proactive action with metrics CASE STUDY Industry Source Government Services Expert Interview Challenges No current processes in place to measure metrics. Unclear on what metrics the business would truly care about. No current processes in place to measure metrics. Unclear on what metrics the business would truly care about. Identify metrics that are pertinent to the business. Determine how the security team can use metrics to make the business care about security investments. Identify metrics that are pertinent to the business. Determine how the security team can use metrics to make the business care about security investments. Next Steps

7. Info-Tech Research Group7 7 Resolution Situation Complication Info-Tech Insight Executive summary Security investments (time, money, and/or resources) are often made without adequate supporting information as to the relative benefit of one investment vs. another. In a resource-constrained environment, availability of additional resources for investment could be limited in the absence of solid evidence. Metrics allow the organization to understand its current risk posture and support initiatives to reduce those risks. Security metrics are difficult to quantify. Many organizations and subject matter experts recognize the difficulty of establishing and maintaining an effective metrics program. This results in challenges when explaining security concerns and an inability to acquire management/leadership support for changes or additions needed for the security technology program. Your organization does not need to measure all metrics. Prioritize the metrics according to your organization’s specific maturity and risk tolerance, as well as a cost/benefit analysis of each potential metric. Incremental improvements to the metrics program will help organizations grow from an immature business process (managing the basics and getting some visibility of the risks) to managing security resources more effectively using more complex metrics, and finally to a mature business measuring advanced metrics to manage effectively and comprehensively, allowing quick response to incidents. Value vs. effort: The success of a metrics program is largely due to understanding the difference between quality and quantity. Attempting to measure anything and everything is not an efficient use of staff time and creates the potential for inconsistent measurements. For the most efficiency, devote your time to knowing what metrics will be provided to your organization, as well as assurance of their relevance, reliability, and reproducibility.

8. Info-Tech Research Group8 8 The value of security metrics can be found beyond simply increasing security Increased visibility into your operations. Improved accountability. Better communication with executives as a result of having hard evidence of security performance. Improved security posture through better understanding of what is working and what isn’t within the security program. This blueprint applies to you whether you need to develop a metrics program from scratch or optimize and update your current strategy. Impact Don’t overwhelm yourself with everything, just determine the metrics you need to worry about now without trying to do it all at once. Develop a growth plan as your organization and metrics program mature, so you continue to optimize. Communicate effectively. Be prepared to present the metrics that truly matter to executives rather than confusing them with unnecessary data. Pay attention to metric accuracy and reproducibility. No management wants inconsistent reporting. Short term: Streamline your program. Based on your organization’s specific requirements and risk profile, figure out which metrics are best for now while also planning for future metrics as your organization matures. Long term: Once the program is in place, improvements will come with increased visibility into operations. Investments in security will be encouraged with more evidence available to executives, contributing to improved security posture overall. Potential opportunities for eventual cost savings also exist as there is more informed security spend and fewer incidents. Short term: Streamline your program. Based on your organization’s specific requirements and risk profile, figure out which metrics are best for now while also planning for future metrics as your organization matures. Long term: Once the program is in place, improvements will come with increased visibility into operations. Investments in security will be encouraged with more evidence available to executives, contributing to improved security posture overall. Potential opportunities for eventual cost savings also exist as there is more informed security spend and fewer incidents. Value of engaging in security metrics: Value of Info-Tech’s security metrics blueprint: Impact

9. Info-Tech Research Group9 9 Use these icons to help direct you as you navigate this research This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project. This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization. Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

10. Info-Tech Research Group10Info-Tech Research Group10 Info-Tech offers various levels of support to best suit your needs Consulting “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.” Guided Implementation “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” DIY Toolkit “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” Workshop “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” Diagnostics and consistent frameworks used throughout all four options

11. Info-Tech Research Group11Info-Tech Research Group11 Measured value for Guided Implementations (GIs) Engaging in GIs offers both valuable project advice and significant cost savings. GIPurposeMeasured Value Phase 1: Establish your metrics baseline Identify which metrics match appropriately with your organization’s risk posture and overall maturity. Time, value, and resources saved using our assessment tool to determine what metrics program is best for your organization, rather than trying to navigate all metrics at once: 2 FTEs*5 days*$80,000/year = $3,200 Time, value, and resources saved using our guidance: 1 consultant*5 days*$2,000/day = $10,000 (if done by third party) Phase 2: Develop metrics program roadmap Determine most effective methods to implement metrics through prioritization. Time, value, and resources saved using our guidance in identifying data sources, and our library template: 4 FTEs*10 days*$80,000/year = $12,800 (if done internally) Time, value, and resources saved using our guidance: 1 consultant*15 days*$2,000/day = $30,000 (if done by third party) Phase 3: Communicate the metrics program Effectively communicate the metrics that matter to stakeholders. Time, value, and resources saved using our guidance and communication template: 2 FTEs*3 days*$80,000/year = $1,920 Total Costs Saved $57,920 Additional value includes proactive demonstration of ongoing capabilities and improvements to decision- makers via metrics-based reporting; risk reduction resulting from a better understanding of the environment; and more justified security spend.

12. Info-Tech Research Group12Info-Tech Research Group12 Best-Practice Toolkit 1.1 Understand the need for metrics 1.2 Differentiate between the types of metrics 1.3 Assess your current state of metrics 1.4 Identify your target state of metrics 1.5 Analyze the gaps of your metrics program 2.1 Prioritize suggested metrics 2.2 Develop roadmap for implementation 2.3 Create main library of metrics 2.4 Identify data sources and collection methods 2.5 Make data useful 3.1 Understand how to track metrics over time 3.2 Report to stakeholders 3.3 Review the metrics program Guided Implementations Overview of metrics with discussion of current state and key metric information collection Current and target state assessment Gap analysis (if not achieved in second call) Prioritize metrics and create library Develop roadmap Identify potential data sources and collection methods Review basic metric tracking Discuss communication strategies Onsite Workshop Module 1: Current and target metric state analysis Module 2: Prioritize metrics and plan for implementation Module 3: Tracking and communication strategies Phase 1 Outcome: Understanding of the value of metrics Determination of where your current metrics program needs to go (Security Metrics Assessment Tool) Phase 2 Outcome: Prioritized list of metrics for implementation Metrics implementation roadmap Metrics library List of data sources identified Phase 3 Outcome: Metrics tracking tool Communications presentation for executive leadership 1. Establish your metrics baseline 2. Develop metrics program roadmap 3. Track and report metrics Implement and optimize a security metrics program – overview

13. Info-Tech Research Group13Info-Tech Research Group13 Info-Tech Research Group Helps IT Professionals To: Sign up for free trial membership to get practical solutions for your IT challenges www.infotech.com Quickly get up to speed with new technologies Make the right technology purchasing decisions – fast Deliver critical IT projects, on time and within budget Manage business expectations Justify IT spending and prove the value of IT Train IT staff and effectively manage an IT department “Info-Tech helps me to be proactive instead of reactive – a cardinal rule in a stable and leading edge IT environment. - ARCS Commercial Mortgage Co., LP Toll Free: 1-888-670-8889