Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

With Security Metrics, Every Picture Tells a Story

Tenable recently sponsored the publication of an ebook, Using Security Metrics to Drive Action. This ebook is a compilation of thoughtful essays from 33 CISOs and other experts, who all share their strategies for communicating security program effectiveness to business executives and the board. In this article, excerpted from the ebook, Aanchal Gupta, Chief Information Security Officer (CISO) for Skype at Microsoft, talks about how she selects metrics to illustrate business risks.

Aanchal Gupta empathizes with C suite executives’ need to get to the point of any discussion. As chief information security officer (CISO) for Skype and Skype for Business, she appreciates terseness from her own team.

When an executive asks her for an enterprise security update, she shows the same courtesy. That attitude helps guide her selection of metrics to illustrate business-risk assessments to senior leaders. Examples of those metrics include:

  • Externally reported security incidents. Because Skype is a public-facing, Microsoft-owned communications platform, external researchers do a lot of testing on Skype. “Anything that is reported is taken very seriously. We track these issues closely,” Gupta says. She graphs incidents over time, she states, to help leadership understand whether Skype is addressing these potential vulnerabilities. She also tracks the mean time to resolve each issue. If, over time, both graphs do not trend downward, she notes, “Then something is wrong—we are not focusing our engineering investments in the right places.”
  • Penetration testing. Skype regularly pen-tests its own product, Gupta notes, and this metric reveals any visible gaps. “I try to categorize those gaps for our leadership team,” she adds. Skype uses Microsoft’s “STRIDE” model to categorize threats—an acronym that stands for “spoofing identity,” “tampering with data,” “repudiation threats,” “information disclosure,” “denial of service” and “elevation of privilege.” The metric is important to senior leadership, Gupta asserts, because they know that penetration failures can be prevented with more in-depth training.
  • Engineering security maturity. Gupta believes that when engineers understand that they’re responsible for security from the requirements phase all throughout the development process, the final product is more secure. That’s why threat modeling is required of the Skype engineering teams. She uses color-coded heat maps to track teams’ relative security-preparedness ranking graphically, she says. The best prepared fall into the green zone; the least prepared are color-coded red. This is a simple way to communicate to executives which engineering teams need “encouragement” to focus more on security. “You can see the wheels moving right away,” she comments. “You leave the executive meeting and right away you get four follow up meeting invitations from the engineering managers: ‘Can you walk my team through why we are red and how we can get to green?’”

Right away you get four follow up meeting invitations from the engineering managers: ‘Can you walk my team through why we are red and how we can get to green?’

It is important for CISOs to avoid presenting prebaked metrics to executives, Gupta cautions. If at an executive meeting you point out that the organization has several open security issues, someone will ask you to prioritize and rank them. If you reply that some of the issues you have charted have not yet been severity-ranked, leadership will not be happy.

“Don’t go to your leadership unprepared,” Gupta urges, “Your data should reflect the homework you have done.”

A final insight: a picture is worth a thousand words, especially one that illustrates your metrics in an effective and cogent way. “You may speak for an hour and nobody will believe that you have affected the problem,” Gupta contends. “But if you show leadership a trend graph, they’ll be convinced.”

Don’t go to your leadership unprepared. Your data should reflect the homework you have done.

More information

About the author

As CISO for Skype at Microsoft, Aanchal Gupta leads a team of experts at Microsoft in the areas of security, privacy, and compliance. She is passionate about building products that are safe, trustworthy, and accessible to everyday users. Prior to joining Microsoft, Aanchal led Yahoo!’s Global Identity team, contributing to various authentication and authorization open standards such as OpenID and OAuth. She has more than two decades of experience leading large, distributed development teams developing global software used by millions.

Ad: Security Metrics That Drive Action

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.