Keeping up with current vulnerabilities, techniques, malware and threats is something expected of advanced technical-security analysts. The role of a CIO/CISO is to ensure that the organisation understands its information risks and undertakes appropriate management of these.
So how does that translate into real activity and an action? Start by asking questions. Some questions will be answered easily, others will be difficult and will result in people trying to avoid answering them: not because they are scared of the answer, but because it's difficult to generate the answer.
Start with this: how many security incidents occurred last week, month, year?
Of course it's necessary to define what a security incident is. But don't go over the top trying to make this too complicated. Keep it simple and quite broad to begin with. You can start to categorise different types of incident later on. But you need to know how many incidents are occurring so that you can determine how effective your preventative measures are.
There are lots of good follow-ups to this question, such as: can you give me a breakdown of detection by each different technology (anti-virus, firewall threat feeds etc)? This allows you to start measuring the effectiveness of each different detection technology - a very useful starting point when it comes to allocating budgets.
It brings us to an important point: cyber-metrics. You need to devise some to try and focus the right behaviour and financial expenditure. Good metrics may include:
1. Average cost per incident – if you add up all your ‘cyber-security' costs (those over and above firewalls and anti-virus) and divide them by the number of incidents you had investigated; what is the figure? This is quite a crude metric, but it is also quite a good starting point.
2. Average window of opportunity for an attacker – another very good test for your defences and security analysts. How long was the attacker active on the system before you managed to gain control of the situation? If you are spending huge amounts of money and the number is not coming down or not below 20 days; then you may want to investigate your expenditure and its effectiveness.
3. Average recovery time – from identifying a compromised asset to closing the incident down, having confirmed that the environment is now safe, how long is the average recovery time? Typically anti-virus will have an excellent recovery time.
To answer the questions above requires the ability to undertake a reasonable level of incident response. Focusing the incident response on what the business needs (as opposed to the fun that is forensic analysis) can be quite tricky. It helps to focus everyone's attention by asking four questions after every incident:
1. How did the attacker/malware/breach occur?
2. What did the attacker do?
3. How do we get back to business as usual?
4. How do we make sure this never happens again?
These are four questions that can't be asked of your anti-virus (or current silver-bullet) package and requires you to have security analysts or a decent managed security provider on-board.
As cyber-crime evolves and new threats and attack vectors emerge on a daily basis, it's tempting for IT security professionals to get bogged down with technical detail. However, the questions CISOs should be asking haven't changed – the most important thing to understand is how a breach impacts the business.