From: BeyeNetwork
Dr. Ramon Barquin, Silka Gonzalez
Being an information security manager today is no mean feat! Organizations live and breathe interconnectivity and one-click transactions. Increased pressure on information security managers means that they need to demonstrate and emerge flawless on key metrics and business drivers almost every day. These IT professionals are usually the “go to” persons for answers to mission-critical questions that demand quick analyses and flawless decision making. The chief information security officer (CISO) has become a key position in the IT shop, just under the CIO.
In the federal world, the term information security has now become “cybersecurity,” and it is one of the top priorities in all of government. President Obama is on record as having said that the “cyber threat is one of the most serious economic and national security challenges we face as a nation,” and FBI Director Robert Mueller believes it will surpass terrorism as the country’s number one threat.
Furthermore, there is now a national cybersecurity strategy and a cybersecurity czar. Many federal agencies have followed suit with their own plans. There is a now a Cyber Command at the Department of Defense, a Cyber Division at the FBI, a National Cyber Security Division at the Department of Homeland Security, and Congress is in the process of preparing cybersecurity legislation.
The vocabulary has followed suit as we have morphed from information security to cybersecurity. The emergence of parallel terminology in the press such as cyberwarfare, cybercrime or cyberattacks has been an important factor. Its meaning is still the same, but the level of attention it receives when “cyber” is prefixed seems to be much greater.
Definitions are often useful for grounding a discussion. The International Telecommunication Union (ITU) sits astride the world’s communications networks and is an authoritative source in this domain.
Following is their definition for cybersecurity: “The collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.”
The fact is that these are trying times for organizations, especially for government agencies. Information technology and the Internet have brought about remarkable growth, but they have also exposed enterprises to new risks – risks that change every day in form and severity and could essentially originate from any place on the globe. The problem is further exacerbated due to the fact that the world is dotted with countries, states, cities and counties, each having its own set of laws and regulations. What might be a crime in one part of the globe might not be a crime in another. Furthermore, the federal government must be very concerned with what other nation states or criminal gangs might be doing on the cyber front, especially if they are not friendly states, as well as the current activities of hacker activists such as WikiLeaks or Anonymous. When speaking about cybersecurity or information security, certainly there is a lot of truth to the statement that “a good defense is truly the best offense.”
Given these conditions, making quick, accurate, and timely cybersecurity decisions at the enterprise level is not an easy task. However, the combination of data analytics and cybersecurity can generate business intelligence useful for mitigating the risks and moving toward a solution.
Data Analytics
Data analytics helps streamline and channel large amounts of information and allows the creation of a single-screen dashboard that can provide an organization with a concise and meaningful view of the state of enterprise-wide information security. Think of a dashboard as a real-time snapshot of the organization’s key cybersecurity indicators.
The biggest advantage offered by an information security dashboard is that it is simple and can be tailored to display information in a form that is concise and easy to understand. A cybersecurity manager’s task becomes a lot easier with such a tool because the dashboard does most of the “talking” in the boardroom and can effectively guide top management decisions in the organization.
When dealing in the cybersecurity domain, it is necessary to keep tabs on the basics: who, what, when, where, how, and why. This translates, at the very least, to keeping statistics on the types of attacks (e.g., eavesdropping, phishing, data modification, spoofing, denial of service), the malware (e.g., viruses, worms, root kits, backdoors, key loggers, etc.) and the categories of hackers (e.g., governments, criminal gangs, script kiddies or hacker activists).
Capturing the URLs of both the attackers and the attacked, time stamping the incidents and enriching each with other relevant available background information will allow analysis on this data to obtain useful business intelligence.
The true power of information security dashboards is that their design is limited only by an organization’s specific requirements and the dashboard designer’s imagination. Let’s take a look at some of the ways these dashboards can change how information security decision making is handled.
What Are We Spending and Where?
Organizations spend large amounts of money on cybersecurity each year, and federal expenditures in this area are not going down in spite of the cuts to government budgets. Tracking information security investments and their performance can be quite a hassle, and a CISO is often questioned by management about where the information security budget is being spent and how successfully. A customized cybersecurity dashboard can effectively perform this task and provide additional information to assist decision support on the cyber front. Such a dashboard can highlight spending by area, the impact on specific objectives, budget spent vis-à-vis risk priorities identified in recent assessments, and to what extent regulatory compliance goals have been achieved as a result of the spending. This dashboard essentially analyzes how well the money was spent and measures the cybersecurity program’s performance in a given time period.
Where Is My Information?
One of the most basic steps to take to secure an agency’s sensitive information is to closely examine and enumerate exactly where this information dwells, where it originates, where it goes, and where it gets destroyed when no longer needed. Data analytics helps create dashboards for precisely this task. What is more, once a dashboard is designed, the process is essentially automated, and the only requirement from the organization is to view and monitor the dashboard. All new information is updated in the dashboard while all information that is destroyed can be logged and presented on the dashboard as required. Information in transit, once difficult to track, can be easily monitored using a single dashboard.
That said, the dashboard will be populated from one or more data stores architected specifically for that purpose. Having these sources of historical cybersecurity data will also provide additional opportunities for analysis and the extraction of business intelligence.
Real-Time Decision Making
The cybersecurity scene witnesses new vulnerabilities every day, and patches to address these vulnerabilities become available every week. These are provided primarily by the software vendors who own the source code that runs our operating systems, our networks, and most of our applications. With the rise of mobile computing, we are seeing these vulnerabilities – and hence additional patches – also appear on the mobile front. A customized information security dashboard can provide an enterprise with a real-time snapshot of the most significant exposures that impact the organization specific to the types of platforms, software, and technical infrastructure that it employs. This is important because having a sea of information on all the vulnerabilities that exist in cyberspace is not really helpful for making quick and efficient organization-specific decisions. Tweak the dashboard a step further, and it can essentially automate the decision-making process for patches and upgrades. It can report trends in cybersecurity incidents being faced by an agency, and that information can be used for effective incident response.
The same dashboard could be further enhanced to help the organization make decisions on new technical infrastructure purchases and the retirement of old/legacy infrastructure. This dashboard can, in effect, combine the knowledge of published vulnerabilities, the nature of transactions performed, and the technical requirements of the organization for efficient functioning to help make decisions on the precise kind of technical infrastructure necessary for optimal performance and security.
What Would Happen If We…?
Organizations are faced with many “what if” questions on a daily basis, especially when it comes to cybersecurity. These questions could be about increasing or decreasing the budget, the cybersecurity implications of a reorganization, or altering the size and composition of the cybersecurity workforce. Tailored dashboards can be equipped with “policy levers” – policies designed to move or encourage action in a particular direction – that can be increased or decreased. With this new information, the dashboard can perform real-time analyses based on its understanding of the agency and its dynamics in order to depict a possible outcome and provide some answers to the many “what if” questions that the organization faces.
Training Tool
A customized cybersecurity dashboard can actually be used to train non-technical staff, senior and top management on cybersecurity and how it holistically impacts their organization. These specialized dashboards contain various policy levers for basic information security aspects such as regularly changing passwords, the amount of information to disclose to an outsider, shredding sensitive documentation, and so on. By changing their weights and simulating behaviors, the dashboard can be used in a security awareness program to demonstrate to an audience the impact these policy levers can have. Trainees can, and should be encouraged to, even shift the policy levers themselves to see how they affect the organization. To learn something theoretically may have an impact on trainees, but learning through simulation is usually more effective.
Last Words
The partnership of data analytics and cybersecurity has proven to be a success in the many private sector organizations that have incorporated such dashboards into their boardroom meetings. They can also be an important tool for government agencies and their CISOs by providing business intelligence to enable decision support.
Every enterprise is a unique entity with its own significant metrics and indicators. Thus, customizing and tailoring cybersecurity dashboards is the key to data analytics and business intelligence in this high priority battlefield.
Dr. Barquin is the President of Barquin International, a consulting firm, since 1994. He specializes in developing information systems strategies, particularly data warehousing, customer relationship management, business intelligence and knowledge management, for public and private sector enterprises. He has consulted for the U.S. Military, many government agencies and international governments and corporations.
Dr. Barquin is a member of the E-Gov (Electronic Government) Advisory Board, and chair of its knowledge management conference series; member of the Digital Government Institute Advisory Board; and has been the Program Chair for E-Government and Knowledge Management programs at the Brookings Institution. He was also the co-founder and first president of The Data Warehousing Institute, and president of the Computer Ethics Institute. His PhD is from MIT. Dr. Barquin can be reached at rbarquin@barquin.com.
Silka is the president and founder of Enterprise Risk Management, an information security consulting company established in 1998. She has more than 20 years of experience in IT security and IT auditing and holds expertise in best practices in business continuity planning. Prior to founding ERM, she was a consultant with Price Waterhouse, where she was a manager of IT and business services. Her undergraduate degrees are from Xavier University (Cincinnati, OH) and her Master’s degree in Accounting Information Systems is from Florida International University (Miami, FL) where she also teaches graduate courses in IT Audit. Silk holds the following certifications: CISSP, CISM, CISA, CPA, CRISC, PCI-QSA and CITP.
Leave a Reply