Last week, I had the opportunity to spend a couple of days with a bunch of CISOs and senior information security leaders in New York at an event put on by CSO Magazine.  It was interesting to hear from them about the challenges they are facing and some of the things they’ve learned to make their organizations more effective.

I have a load of notes from the two-day session but, as I look back, a few things stand out that I think are worth noting here.  I’ll start with my notes from one of the main sessions.

For good measure

One of the CISO’s was from a major financial organization, and he discussed some of the metrics they are using to gauge the effectiveness of their “detection” efforts and controls.  Some of the metrics they are using include:

  • Time to detect a security issue
  • Time from identification to beginning work (with a ticket)
  • Time to resolve / close the issue
I like these as they are something tangible you can focus on and improve (the last one maybe not so directly, but it’s still a great performance indicator to capture and track).  I suggest also tracking which “control” or mechanism detected the issue, so you can analyze it after the fact and figure out which of your controls are actually contributing to your success in detecting and correcting security issues.

Learn from the past – deliberately

Speaking of looking at things after the fact, another recommendation from the same CISO was to devote some time (or in his case, two people) to systematically review significant issues (successfully resolved or not) to identify “Lessons Learned.”  Since implementing this approach, he says their effectiveness has improved dramatically because they have been able to isolate and improve shortcomings in their security capabilities, as well as identify capabilities they want to exploit and expand to improve their chances of success in the future.

The lessons they learn are not just from traditional infosec forensics (i.e. the IT-specific part of the equation) – they also look at other parts of the business who contributed to the issue, were impacted by the incidents, or who were involved in response – and their learnings can include virtually any aspect of the chain of events including those outside of IT.

He also talked about how this helps with risk management, as it helps reinforce their decisions.  With this approach, they don’t look at just asset and vulnerabilities, they also deliberately look at threats and impact and tie in “systemic risk.”  He noted that the complex interdependencies and relationships (inside and outside of IT) must be understood or you will spend your company’s resources inappropriately.

Licensed to succeed

Perhaps the most interesting technique he discussed was their “driver’s license” approach.  They issue a sort of driver’s license to their users and dangerous behaviors can get you in trouble – essentially, you receive a citation for each violation of their security (and operational) policies.  Mess up enough and they put you on probation, after which you must go to training or demonstrate responsible use to get off probation.

I like this concept, but it seems like it could be a lot of work and must have across the board support from management to make it stick from a cultural perspective.  I admire them for doing it.

I’ll be sharing more of things I learned from this event in various ways here in the future.

By the way, this also drove home the importance of networking and sharing best known methods with our peers – we can all learn more with that approach (and it is a lot more fun that way).

Categories: , Risk-Based Security for Executives, , , IT Security and Data Protection,

Tags: ,


Leave a Reply

Dwayne Melancon

Dwayne Melancon has contributed 131 posts to The State of Security.

View all posts by Dwayne Melancon >