Feeds

Is it possible to measure IT Security?

Or is that somebody else’s problem?

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Workshop It is a commonly held principle in many areas of business that if you can’t measure something “quantitatively”, it will be difficult to raise the quality objectively. The applicability of this statement to the world of IT security is clear. Without having some form of metrics in place, it is tough, if not impossible, to judge whether security is getting better over time. Indeed, it is probably fair to say that many organisations have only one way to assess security – namely, “did anything go wrong” – but this is hardly a metric for the forward-looking.

Meanwhile, of course, the drivers for proactively monitoring 'security' and the associated effectiveness of security solutions are becoming increasingly high-profile. Regulatory pressures on organisations to secure their operations are more explicit than in the past, while customers and shareholders are less prepared to tolerate IT security breaches. The continuing spread of legislation dictating that organisations actively notify affected parties when data is potentially lost or at risk is certain to add to the pressure to demonstrate that security measures are properly established.

Another potential driver for security monitoring and measurement which is very easy to overlook is cost-justifying the role played by individual IT security measures. If it were possible to evaluate the effectiveness of security in simple terms, for example through verifying numbers of attacks and threats which have been prevented from executing, such measurements could help justify existing spend. They could even validate requests for additional resources as either the threat landscape changes or as new business requirements come into play.

And all the while the nature of security threats are changing, both in the technical vectors used to breach systems and in the “philosophy” of those organising system attacks. The days of hackers attacking systems for the kudos of breaking into systems are over. Today the vast majority of security breaches are commercially driven with the goal of making money. With threats becoming more sophisticated, how can an organisation test the effectiveness of even the basic elements of security tooling, such as anti-virus solutions, firewalls and web page checks?

Some organisations do attempt to line up a range of tools, say in the anti-virus space, and compare how well they detect threats. Most such tests rely on using 'known' sources of malicious code and this approach is fine if an organisation is certain that it is only ever going to be subjected to the threats of the day before yesterday.

But as has already been stated, threats change all the time with new challenges being pushed into the arena almost every hour of every day. IT today has to be ready, in the words of Douglas Adams, “to expect the unexpected”. Even more importantly, and this is something that needs recognition by everyone working in an organisation, security is not 'somebody else’s problem'. As illustrated by the results of our last poll, security is a challenge to be addressed by everyone.

So if measuring the effectiveness of solutions against known threats is at best only part of the answer, the question arises of how security tools can be measured accurately against unknown threats or the real world at large, particularly against so-called “zero-day attacks” – that is, exploits on as-yet-undiscovered security holes. Is it really possible to test against the unknown? There are some moves afoot for example, to test security products using wild sources of infection rather than running tests on predefined, 'canned' threats. It will be interesting to see how these new tests develop, and how much attention they get amongst IT professionals.

It is likely that a growing number of organisations will look at measuring security and extend this to attempting to qualitatively gauge the effectiveness of the security tools on offer. But given just how difficult it is to apply any measure to security, it is important to look beyond security tools and processes, and look at where measurements can be applied in reducing risks across the board. For example, we know that the education of users concerning their responsibilities in protecting systems in data has significant benefits in raising security effectiveness – and it is perfectly possible to measure the level and effectiveness of awareness across an organisation.

It should also be within most organisations’ ken to run auditing tools on a regular basis, and log the outputs as part of an ongoing security improvement programme. It is unlikely that any organisation will come out unscathed, but this uncomfortable truth should not be a reason – as we have heard from a number of organisations – for any such checks to be turned off, for fear of what they might turn up.

In IT security there are few absolutes, but a good start is at least to identify a baseline which can be built upon. If you have found any good ways to measure security tools and IT operational security effectiveness, we’d be very interested in hearing your secrets of success. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.