Editor’s Note: This is the final installment of a four-part series featuring an in-depth overview of InfoSec’s (Information Security) Unified Security Metrics Program (USM). In this blog entry, we discuss some of the lessons learned during the program’s first year.

Winter weather in the North Atlantic Ocean can be precarious at best. Anyone recall the ill-fated journey of the RMS Titanic? Icebergs pose significant risk because only 10 percent can be seen above the surface, while more than 90 percent remain hidden below. Similarly, metrics and numbers on a chart represent only the tip of an iceberg. Rich, meaningful, and actionable data exists below the surface and, when leveraged successfully, can drive great results and outcomes. During the past year, the USM program has embarked on some new, uncharted waters. The journey hasn’t always been easy, but we’ve learned some valuable lessons along the way.

Cultivate Partnerships
Partnerships are the cornerstone of InfoSec’s USM program, beginning with Service Security Primes and Partner Security Architects, who are a virtual team of trusted security advisors. They, in cooperation with IT service owners, risk management groups, and decision-makers (including the CIO), work in concert with InfoSec to secure and protect Cisco. Because of InfoSec’s tight alignment with these groups, it can more effectively manage security investments, actions, and processes globally. This opens the door to advance metrics beyond basic security hygiene to more sophisticated posture assessments in the future (i.e. risk determination) within IT and other outside organizations.

Start Small and Grow Organically
As with any new endeavor and, in particular with massive, complex organizations such as Cisco, start small before launching “full throttle,” so you can properly monitor, manage, or adjust your security metrics program accordingly. This extra time allows for standardization of existing program processes, and enables you to create IT service owner “champions” that can evangelize your security program for broader adoption and long-term sustainability.

Training is Key
Formalized, on-going training, such as Cisco’s global internal Security Knowledge Empowerment (SKE) program expands security knowledge across the organization in curriculums ranging from as little as 4-6 hours of security basics to more than 120 hours of in-depth classroom, mentoring, and group projects. When combined with Service Security Primes and Partner Security Architects, it provides a potent conduit to expand security DNA throughout Cisco.

Credibility Built Upon Trust
Keeping the USM process open, transparent, and non-punitive is crucial in building trust and credibility with multiple stakeholders. Stakeholders can count on InfoSec to consistently deliver reliable, unbiased metrics every quarter. Ample time is also provided for broad internal team reviews and remediation efforts, along with clear communication for next steps. As a result of these collective activities, shared responsibility and accountability become the norm, fueling early program adoption among IT service areas and, ultimately drives improved security performance.

Construct a Communication Process Flow Loop
Communication process flow loops are essential for security metrics “consistency” across the organization. Establish a 13-week, quarterly timeline so that IT service owners know when they can expect their security data, where they can find the data (ITRM dashboards, portal sites), and how to interpret the data (reports). This enables users to access vital information in real-time, and creates better synergy and dialogue between groups to remediate security issues found.

Metrics Don’t Need to be Sophisticated to Solve Real Business Problems
Most IT organizations track risk metrics routinely. Start with pulling data from IT system logs and dashboards. InfoSec narrowed their data sources from 30 to 5 and, in doing so, drove security process improvement behaviors and action within IT. Figure out what you ultimately want to achieve. Innovation does not always involve the newest and shiniest things, it often comes from new ways to get the basics right.

Blog Series
Part 1: No Curve Ball Here, Unified Security Metrics Deliver Meaningful Results
Part 2: Security Metrics Starting Point: Where to Begin
Part 3: Making Your Metrics Program Effective Beyond Just Charts and Numbers


Sujata Ramamoorthy

Senior Director, Security Engineering

Security & Trust Organization