With Security Metrics, Every Picture Tells a Story

Tenable recently sponsored the publication of an ebook, Using Security Metrics to Drive Action. This ebook is a compilation of thoughtful essays from 33 CISOs and other experts, who all share their strategies for communicating security program effectiveness to business executives and the board. In this article, excerpted from the ebook, Aanchal Gupta, Chief Information Security Officer (CISO) for Skype at Microsoft, talks about how she selects metrics to illustrate business risks.

Aanchal Gupta empathizes with C suite executives’ need to get to the point of any discussion. As chief information security officer (CISO) for Skype and Skype for Business, she appreciates terseness from her own team.

When an executive asks her for an enterprise security update, she shows the same courtesy. That attitude helps guide her selection of metrics to illustrate business-risk assessments to senior leaders. Examples of those metrics include:

• Externally reported security incidents. Because Skype is a public-facing, Microsoft-owned communications platform, external researchers do a lot of testing on Skype. “Anything that is reported is taken very seriously. We track these issues closely,” Gupta says. She graphs incidents over time, she states, to help leadership understand whether Skype is addressing these potential vulnerabilities. She also tracks the mean time to resolve each issue. If, over time, both graphs do not trend downward, she notes, “Then something is wrong—we are not focusing our engineering investments in the right places.”
• Penetration testing. Skype regularly pen-tests its own product, Gupta notes, and this metric reveals any visible gaps. “I try to categorize those gaps for our leadership team,” she adds. Skype uses Microsoft’s “STRIDE” model to categorize threats—an acronym that stands for “spoofing identity,” “tampering with data,” “repudiation threats,” “information disclosure,” “denial of service” and “elevation of privilege.” The metric is important to senior leadership, Gupta asserts, because they know that penetration failures can be prevented with more in-depth training.
• Engineering security maturity. Gupta believes that when engineers understand that they’re responsible for security from the requirements phase all throughout the development process, the final product is more secure. That’s why threat modeling is required of the Skype engineering teams. She uses color-coded heat maps to track teams’ relative security-preparedness ranking graphically, she says. The best prepared fall into the green zone; the least prepared are color-coded red. This is a simple way to communicate to executives which engineering teams need “encouragement” to focus more on security. “You can see the wheels moving right away,” she comments. “You leave the executive meeting and right away you get four follow up meeting invitations from the engineering managers: ‘Can you walk my team through why we are red and how we can get to green?’”

Right away you get four follow up meeting invitations from the engineering managers: ‘Can you walk my team through why we are red and how we can get to green?’

It is important for CISOs to avoid presenting prebaked metrics to executives, Gupta cautions. If at an executive meeting you point out that the organization has several open security issues, someone will ask you to prioritize and rank them. If you reply that some of the issues you have charted have not yet been severity-ranked, leadership will not be happy.

“Don’t go to your leadership unprepared,” Gupta urges, “Your data should reflect the homework you have done.”

A final insight: a picture is worth a thousand words, especially one that illustrates your metrics in an effective and cogent way. “You may speak for an hour and nobody will believe that you have affected the problem,” Gupta contends. “But if you show leadership a trend graph, they’ll be convinced.”

Don’t go to your leadership unprepared. Your data should reflect the homework you have done.

More information

• Get your copy of the ebook, Using Security Metrics to Drive Action.
• Watch the Tenable Blog for weekly excerpts from Using Security Metrics to Drive Action. You can subscribe to the blog by clicking Blog email updates on the Blog Home Page.

About the author

As CISO for Skype at Microsoft, Aanchal Gupta leads a team of experts at Microsoft in the areas of security, privacy, and compliance. She is passionate about building products that are safe, trustworthy, and accessible to everyday users. Prior to joining Microsoft, Aanchal led Yahoo!’s Global Identity team, contributing to various authentication and authorization open standards such as OpenID and OAuth. She has more than two decades of experience leading large, distributed development teams developing global software used by millions.