Measuring the success and value of an information security organization is a perennial challenge across all industries. Consistently tracking the effectiveness of Information Security Management Systems (ISMS) is hard enough. Add to that C-level expectations for accurate metrics that equate to value in bottom line terms, and CISOs are faced with two ongoing challenges: quantifying the volume and impact of what didn’t happen (the events their ISMS prevented), and then attaching a monetary value to those non-events.
At Cisco, one way we’re trying to quantify and communicate to leadership how well our ISMS is performing is through an innovative methodology for consistently quantifying security incidents against an established industry benchmark from the Ponemon Institute.
The process incorporates two metrics commonly used in insurance accounting, applied in a new way to cyber: Annual Loss Expected (ALE) and Annual Loss Realized (ALR):
- ALE captures expected costs incurred in detecting, investigating, recovering from and managing cybercrime incidents. The related external consequences and costs include the actual loss of information, disruption to the business, equipment damage and subsequent revenue loss.
- ALR captures the actual impact and costs of handling security incidents, enabling us to look across types of incidents and specific functions to identify points of vulnerability needing correction.
ALR gives us a broadly accessible Board and C-level measure of security effectiveness. It also supports decision-making in individual business units about security investments, and helps bring visibility to the business impact of security incidents. The cost structure established for various types of incidents, combined with historical data, informs cost analysis of specific incidents; that data then drives targeted next steps.
This practical, actionable approach can be beneficial to any organization grappling with the value of its security investment. While Cisco leverages the Ponemon study’s “large organization” category, the study breaks down the cost data benchmark by different company sizes and security postures, and for companies across multiple sectors. Regardless of size or unique industry considerations, the methodology should remain the same, making it broadly applicable.
We are now seeing success at not only quantifying the value of our information systems security, but also in using the data we’re tracking to strategically manage our security efforts going forward. At the end of every fiscal quarter, our information security group works with internal clients, stakeholders, and subject matter experts to gather security incident data and determine its total impact on the business. That analysis is presented to the CISO and other business leaders, providing a forum to discuss trends and upcoming changes in processes and tools. In the rare event of a high-impact incident, this data is shared beyond the information security team to help broader staff understand the impact of these types of incidents.
Given the benefits we’re experiencing, we’re sharing more details about our ALR measure and examples of how it can be used to benefit security organizations everywhere. Information Security professionals, IT staff, and business people with an interest in security metrics are invited to download this succinct infographic and executive brief or the more detailed white paper that describes this useful methodology.