Thursday, February 4, 2010

The Open Group seeks to spur evolution of security management from an art to a science

This guest post comes courtesy of Jim Hietala, Vice President of Security for The Open Group.

By Jim Hietala

As we wrapped up day one of the Security Practitioners Conference Plenary here at The Open Group Seattle Conference this week, I must say we heard excellent presentations on security management and metrics from Adam Shostack at Microsoft, Vicente Aceituno from ISM3 Consortium, Mike Jerbic at Trusted Systems Consulting, Phil Schacter from The Burton Group, and Kip Boyle from Pemco Insurance.

Some of the key takeaways included:
  • There is a real need for better external, big-picture data about attacks and the available controls that are in place and the control effectiveness. Without objective data of this sort, it’s difficult to have an intelligent discussion as to whether things are getting better or worse, to develop an understanding of attacks and threat vectors, and what really constitutes best practice controls. Data from sources such as the Verizon Data Breach Investigations report and DataLossDB are highly valuable, but more data (and more detailed data) is needed.

  • There’s also a clear need to instrument our security programs, being careful to measure the right things. Security metrics are best when they directly support decision-making supporting business goals. Put another way, for an e-commerce company, a security metric that informs management as to how many viruses are scrubbed from desktops is not really relevant to the mission. A metric that measures the mean time to remediate web application vulnerabilities is directly relevant, as reducing this is very consequential to the overall business goal.

  • Adding a maturity level approach to information security management (as is done in ISM3, a new security management project in The Open Group Security Forum) makes this method a lot more approachable for more kinds of businesses. In other words, a higher maturity level that might be appropriate for a Fortune 100 company or a defense firm is unattainable for a typical small- to medium-sized business.

  • Continuous improvement in managing information security depends on effective, relevant metrics.
It's clear that security management is steadily moving from art to science. Effective metrics and a maturity model approach are critical to helping this transition to happen.

For more information about the work The Open Group Security Forum is doing to encourage the evolution of security management, please visit: http://www.opengroup.org/security/.

This guest post comes courtesy of Jim Hietala, Vice President of Security for The Open Group.