Cyber-security industry needs benchmarks for access risk

Wave upon wave of data breaches are putting company IT security measures under the microscope worldwide, says Chris Sullivan.

Chris Sullivan, VP advanced solutions, Courion
Chris Sullivan, VP advanced solutions, Courion

Not surprisingly, C-suite executives and board members alike are asking, “Are we at risk?”, “What are we doing to prevent this from happening to us?” and “How are we doing relative to others?”

But, as information security professionals seek to review their readiness to protect data and respond to these questions, they are working in the dark because there are no credible industry benchmarks for access risk, based on relevant standards similar to those for network support and application development.

This is a serious matter because the root cause of most data breaches lies in a deficiency in access management. Improving an organisation's ability to deter or detect hackers and other foes can't be solved by a new patch or control. More disciplined and consistently applied access management is needed, but success depends on having a more credible measurement of performance relative to the norm for common access vulnerabilities.

For other domains like network and application support, a CIO can measure their own systems' performance or that of their service provider using standardised metrics like downtime or mean time between failures. Why can't similar metrics be made available for access risk benchmarks?

In understanding security vulnerabilities, some companies can turn to risk scores, but there is scepticism about whether these can be fairly compared between organisations of a similar size and be a clear benchmark of security management performance.

What's more, risk scores do not necessarily include specific metrics around everyday access risks such as abandoned accounts that have not been terminated, or accounts with privileged access with little or no oversight. Indeed, we find that even in well-managed organisations these vulnerabilities mount up quite seriously. For example, one client we worked with found 1,000-plus ex-contractor accounts open, 130 ex-employee accounts unterminated and 25 users with access rights in excess of their role.

So having metrics that are robust and insightful matter because CISOs and IT professionals need hard data to understand where to focus their efforts, to justify security expenditure and to assure the board and customers about how well they are prepared to reduce the impact and likelihood of attacks. Indeed, access risk metrics can be a bulwark that protects both a CISO's reputation and their organisation when threats are intensifying.

There is an opportunity to develop benchmarks that are comparable and credible. Indicators about access risk are especially helpful in this respect. For example, benchmarks could be established for the number of access entitlements per person, or privileged, abandoned or orphaned accounts.

Identity analytics and intelligence, or IAI, can play an integral component of identity governance and administration.  But it is critical that we don't simply turn on a fire hose of data that's of little practical use. To paraphrase what was said in the recent Verizon DBIR report, it's great that  communities of CISOs and vendors share data but let's focus on quality not quantity in our intelligence sharing.

The challenge is how CISOs and access security experts as a whole agree on standardising these definitions, and then collect industry specific benchmarks that allow companies to assess their access security management against other comparable sized companies of similar industry or complexity.  

While there are security standards and frameworks out there, metrics about access management and vulnerability are not standardised in ways that are entirely useful to CISOs and IT managers. However, there are commonly understood data sets around access risks that could provide the basis for metrics that will be truly beneficial to customers.

So, the call for action is for organisations like mine that can assemble these access risk metrics to join forces with CISOs and others to define a set of metrics. We need to agree how to best collect and anonymise the access performance data so that it can be shared back to the world for the common good.

Contributed by Chris Sullivan, vice president of advanced solutions, Courion