Measuring success in cyber-security - what constitutes 'good'?
Measuring success in cyber-security - what constitutes 'good'?

The ability to define what construes “good” cyber-security has become a priority for the industry, says Phil Cracknell, chief information security officer (CISO) at Homeserve.

Ahead of speaking at the 16 November Cyber Security Summit, where the challenges facing cyber-security practitioners will be addressed, he notes that the lack of quantification in cyber-security.

Cracknell has long been involved in developing co-operation between CISOs including conducting “anonymous surveys of CISO's to fill the void of information regarding breaches”, this work has since evolved into The Metrics Project.

The Metrics Project focuses on defining the mechanisms and language used to measure the effectiveness of Information Security, with more than 50 UK CISO's involved. As the collective work of more than 350 CISO's over its current lifespan and purposely avoiding vendors and analysts thus far, the Metrics Project focuses on developing something that will deliver true value to the businesses of those involved, “By the CISO, for the CISO.”

Cracknell emphasised the role of metrics as “very much the key to our future” in measuring and validating the effectiveness of cyber-security. “Businesses are waking up to the fact that they need metrics and risk indicators that our board, audit committees and non-executive directors are able to understand.”

Promoting a “report what you should, not what you can” mind-set from organisations, Cracknell suggests metrics have the ability to affect business practice in a number of ways. Metrics can demonstrate effectiveness, measure exposure and agility, test organisation culture, pinpoint responsibilities and highlight levels of investment”, all of which provide a great insight into a sector and tangible, measurable indicators of cyber-sSecurity suitability.

Suggesting the current focus by security providers on product and technology may not be the optimum strategy going forward, Cracknell draws attention to the softer skills involved in effective cyber-security. “Security leads are still procuring solutions that don't address their top issues or risks.

 Good risk management will avoid this, and of course a solution for a risk doesn't always have to involve buying hardware, software or a service at all”. Instead, Cracknell advocates an introspective business model, with training of staff and improved process management.

Regarding issues surrounding ‘Bring your own Device',Cracknell says, “With our corporate perimeters expanding and even disappearing entirely, and the prevalence of personally owned devices in our work environments, businesses should concentrate on protecting the contents, not the containers, and identify critical data.”

Phil Cracknell will talk as part of the Cyber Security Summit at 3:30pm on 16 November, with his address Measuring Success: Metrics for Cyber Security Strategy. He is  speaking alongside senior public and private sector figures, including Mark Sayers, deputy director of cyber and government security at the Cabinet Office, and Chris Ulliott, chief information security officer at the Royal Bank of Scotland.

Contributed by David Roberts, event director at GovNet

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.