Leveling up your cybersecurity: How agencies mature security programs
October 6, 2020
October 6, 2020
Being a CISO is tough. In the federal government, it can be even tougher. Compliance requirements absorb a lot of time and energy. The CISO must often split attention between fulfilling mandates while finding ways to mature the organization’s cybersecurity posture.
To ensure the practice evolves, the CISO must help the C-Suite focus on the big picture – how the agency can best protect its most valuable IT assets. The CISO needs to be able to tell a compelling, concise story about the security program to align funding and further develop the program.
The key is to explain how to mature and how to use metrics to quantify and qualify progress toward goals to demonstrate ROI.
One of the best ways to increase efficiency is to utilize a security operation center (SOC). Centralizing security through a SOC helps agencies stay focused on the most important assets. However, not all SOCs provide equal value. At Accenture, we’ve been working on a maturity model for SOCs.
A mature program begins with infrastructure that allows for flexible integration of advanced tools and data. This foundation enables teams to apply AI and automation to streamline high-volume tasks.
Over time, agencies can integrate other, more complex tools such as anomalies detection, behavior analytics, or even predictive detections.
But having the basics down, such as a mature log collection platform and security incident event management, is a must. Without a strong base, you can’t achieve maturity in more advanced tools.
<<< Start >>>
<<< End >>>
There are no shortcuts to a mature SOC. To build one, you must recruit and retain the right personnel, invest in the right technology, and keep management attention focused. A 24/7 security operations center at a bare minimum requires a team of at least nine people, but even a small organization should ideally have 13 or more.
There is a way you can get all the benefits of a SOC without having to build your own, by using a managed security service (MSS).
Think of it this way. Ten years ago, everyone managed their own email. Who does that now? Five years ago, everyone had their own infrastructure. Now, how many of us use cloud service providers? In most areas of IT, we’ve become comfortable with outsourcing to managed services that can do it better and faster.
<<< Start >>>
<<< End >>>
Agencies can partner with an MSS to take advantage of highly trained and experienced staff whose visibility extends beyond the boundaries of a single agency’s security needs and risks. An MSS can accelerate security maturity, allowing a federal agency to make significant progress in months or even weeks, compared to potentially years in-house.
Whether using an in-house or outsourced SOC, you must use metrics to quantify progress toward security goals and to demonstrate ROI throughout the process of maturing security operations.
To understand the ROI for incident responsiveness, for instance, you might use metrics to understand how many alerts tools generate, how many are true positive, how many are reviewed by an analyst, and how long it takes to respond. You can align these metrics with your key performance indicators (KPIs) to make the case for further investment.
Quantitative metrics alone will not show the entire picture. Every quantitative metric must be accompanied by a qualitative metric. For example, if you have a quantitative metric that an analyst must create 20 incidents a day, they will create 20 incidents based on intrusion detection & prevention system (IDPS) alerts to fulfill that obligation. If you have a qualitative metric that they must have an 80% true positive case rate, they might create tickets only using anti-virus alerts, which have a low rate of false positives.
The key is to use quantitative and qualitative metrics to balance each other. For example, you can respond to all incidents on your shift (quantitative) under the defined service line objective per severity level (qualitative) with a true positive rate of 95% (qualitative / improvement goal). These all should be achievable; if they are not, then you have the KPIs on where investment is needed.
A MSS can help by using automation to handle the low hanging fruit of things like IDPS and AV alerts. Instead, create metrics that are based around service line objectives and are aligned to the organization’s security objectives and KPIs.
Retaining security talent requires the right culture and alignment in goals. Building a metrics program takes time and data. Maintaining a resilient cybersecurity platform takes great leadership and a consistent vision.
It’s not easy for a CISO to align management attention and funding to improve security operations. But by understanding how to mature and using metrics to measure progress, a CISO can tell a compelling story to drive action and resources.