Abe Kleinfeld, president and CEO, nCircle says that companies want to see results from all their spending on security. Data Centre Management finds out more

2006 may be behind us, but the themes of accurate measurement and the validity of metrics will stay with us all throughout the coming year. No doubt about it, finding an appropriate language for measurement is the key to effective management in the datacenter, whether you’re talking about performance or conformance, whether your serving other departments in your own business, or independent organisations.

Ask a CEO a very broad question like, “how is your company doing?” and he’s likely to rattle off concise metrics describing revenue, earnings per share, gross margin and market share. These few metrics, measured over time, provide a surprisingly clear picture of the health and well-being of a company and whether its prospects are improving or deteriorating. However, ask that same CEO a far narrower question – “how secure is your data centre’s operations?” and you’re likely to be met with a blank stare.

The inability to answer this question speaks volumes about the state of information security today. Security has remained one of the top concerns amongst CIOs and data centre managers for many years, yet few have been able to measure the effectiveness of their spending. That is all about to change

With cyber attacks continuing to make headlines throughout the business community, data centres have responded by rapidly increasing IT security spending even as overall IT budgets have remained flat or declined. Gartner predicts that security software spending will have a compound annual growth rate of 16.2% from 2005-2009 with information security spending representing approximately 6% of overall IT budgets.

It’s no surprise then, that business executives are beginning to question what they’re getting for their IT security spending and being able to answer their queries in meaningful language is something that every data centre manager needs to do whether the CEO is their own or a customers’. Let’s remember that tolerance for technospeak such as “Distributed Denial of Service attacks” and “buffer overruns” is rapidly decreasing. Indeed, in a recent Cost and Confidence Research Report commissioned by nCircle 58% of senior managers don’t believe their IT team communicates effectively about security issues and at the same time, 74% agree that security issues are a ‘fact of business life’. At the same time, their expectation that shareholders receive value from their security spending is increasing. In this environment, data centre security teams are starting to feel pressure to demonstrate the effectiveness of their efforts.

How did we get here?

Few IT categories have evolved as quickly as security. Less than a decade ago, IT security was of limited concern for the majority of organisations and data centres were largely untroubled by security challenges that are commonplace today.. Networks were private and built around proprietary protocols. Then seemingly overnight, applications were turned inside out. Internal banking applications became ‘online banking.’ In-house order entry systems became ‘online shopping’. Private networks gave way to the Internet for all communication and information sharing. Worms and viruses became the norm and costs from security-related business interruption skyrocketed.

Security had to evolve quickly. In its early phases, senior executives primarily cared about containing the security problem and let the technology experts decide what to do. As budgets increased, the technology became at once more sophisticated and numerous, and eventually multiplied into a seemingly unlimited number of subcategories and products. Companies today are increasingly confused about how much to spend on IT security and what to spend it on. In this rapid spend cycle, IT security products emerged as standalone solutions, incapable of working in an ecosystem or sharing information among one another.

Of course, much of this market confusion and general FUD (fear, uncertainty and doubt) was good news for those in the data centre game as robust security provision was one of their most attractive characteristics.

Time to show results

Now however, executives want to see results from all this security spending. Are data centre security teams equipped to think about ‘results’ when they can barely keep up with the administration and information overload from all those products they acquired? And what about all the additional products they still need? Compliance requirements have added complexity as well, with IT security a fundamental requirement in proving internal and regulatory policy compliance. How should an organisation demonstrate this exists on a quarterly and on-going basis to management and auditors? Are they even equipped to communicate with senior executives used to dealing with financial measures such as revenues, market share, margins, inventory turns and ROI?

Senior executives manage to tried and tested principles. The most effective is the ‘measure and manage’ principle. Executives set goals based on identified metrics, and then measure and manage to the established goal. Often the goal is to attain a desired return on investment. That’s fine for many business functions, but falls short for some, particularly IT security. ROI is great when the goal is to increase revenues or reduce costs. But IT security doesn’t increase revenues or reduce costs. Security doesn’t have a measurable ROI. When it fails, there’s loss. When it works perfectly, there’s cost – and how do you measure a loss that never happened?

So how do you demonstrate results from IT security in the data centre? It turns out to be simpler than one would think, particularly when the problem is reduced to its fundamental components. When all the technology talk is set aside, the goal of IT security can be simply stated as minimising risk at the lowest possible cost. There you have it. Two things that need to be measured: risk and cost.

Getting to a results-driven model of IT security will require organisations to reprioritise their efforts, and budgets, around showing a measurable and objective risk metric for their information systems and networks. Objective metrics must be tracked over time against measurable goals. Organisations will demonstrate how they are managing risk across their information systems and networks and compare today’s results to last week, last month, last quarter, last year. And by comparing risk trends with security spend, executives will clearly understand how their investment in security is being managed, and the effectiveness of that spend. IT security budgets will be justified and organisational effectiveness will be measured by the company’s acceptable risk tolerances

Let’s face it – the risk of a security breach will always be present. But should such an event occur, organisations will have clearly documented processes and metrics that prove a standard of due care was in place. And should it prove inadequate over time, the acceptable tolerances can be tightened in measurable ways and at measurable costs, and communicated in a manner that business executives — and regulators — understand.

Measuring security

Measuring costs are easy, so let’s focus on measuring risk. There are no industry-standard measures for security risk, but there’s no reason to wait for standards. What’s important is that every company develops its own objective risk measure. For example, advanced security risk management systems can continuously identify and profile assets on a network to objectively and automatically measure vulnerability risk, configuration and security policy compliance and other specific metrics to produce a risk ‘score’ for each device.

The scores should be influenced by company-defined asset values (for example, a desktop computer will have lower asset value than a securities trading system). These asset risk scores can then be aggregated across the entire network and reported by region, application, operating system, business unit and numerous other ways. The risk score can be further influenced by countermeasures that are in place for each asset (countermeasures might be additional layers of security such as IDS/IPS, firewalls or antivirus products). And finally, the risk measure should be influenced by the current threat environment that exits in the wild (threat metrics can be attained through organisations like CERT or purchased from independent security research organisations as “feeds”).

When assessing IT security risk, it’s important to take into account the entire IT ecosystem, not just individual computers on the network. For example, assigning a risk metric to an individual system is only helpful when its network context is taken into account, such as its line-of-sight access to high-threat zones (i.e. the Internet). Even asset values must be assessed from a broader perspective. An individual computer normally characterised as having a medium or low asset value may play a key role in supporting the company’s ERP system. Its overall ‘system context’ would therefore justify a higher value.

Having an objective IT risk measure is the key first step. Once an organisation puts the systems and processes in place to measure and report on risk, then setting goals and managing to them takes over. This means knowing how to prioritise risk reduction efforts. There are countless risks and vulnerabilities in an IT infrastructure. Addressing the highest priorities is critical to enabling maximum risk reduction at the lowest possible cost. When the data centre security team shows up for work, they need to know the top five or ten tasks they can complete that day to reduce risk the most. By mining the security intelligence collected by the security risk management system, including asset values, network topology and security policy information, organisations can quickly identify and prioritise the highest risks to a network or IT infrastructure.

Setting risk tolerances that are acceptable to the business becomes easier over time. Setting a goal of ‘zero’ risk is unrealistic, and spending more to reduce risk than the assets being protected are worth is not fiscally responsible. Over time, an organisation practicing risk management will improve its ability to determine acceptable tolerances for risk. These tolerances may tighten or loosen during the year. For example, a credit card company may tighten tolerances during holiday shopping seasons, or a government agency during an election. Once an organisation has the ability to measure its security risk, it has the power to identify and implement appropriate and fiscally responsible controls that protect the network based on real business needs.

The past practice of focusing solely on threats has largely failed. The threat environment, after all, is much like the weather. We all talk about it but can’t do anything to change it. Risks, on the other hand, are completely under our control. We can identify them, measure them, and reduce them in a prioritised manner that is consistent with the needs of the business.

Security budgets are reaching a level where they must be justified. Shifting the focus away from simply buying technology to applying common sense business management principles will ensure that companies spend wisely, manage prudently and deliver the most value to their organisations while protecting their critical information investments.

So when your CEO gets asked “how secure is your data centre?” don’t be surprised when he shoots back with “very secure, and improving daily,” followed by a series of metrics showing flat security spending over time whilst security risk and successful attacks on the network have declined — measurably.