The information security industry has been fundamentally broken for some time now. As a collective, the mantra is something like, “You’ve got problems? We’ve got solutions products.” There, I said it. If you are in the industry, you probably knew this already. And yet, there has never been a security problem that has been solved solely by purchasing a product. We are continuously bombarded by news of breach after breach, followed by new messages in our inboxes offering to protect us from those same events if we just buy the newest Flaminator 3000™ appliance or service. What’s the root cause of the cycle of fear-uncertainty-sales? Sure, there is the intuitive appeal of a silver bullet solution to the challenges we face. And doing security properly is rife with social, political and technical challenges. Security is hard. But that isn’t it. No, the real cause is this: We don’t know what better looks like.
Imagine for a moment that any other business unit operated the way that Information Security operates.
• No need to demonstrate an ROI. InfoSec is a cost center.
• No supportive understanding of what the business is trying to achieve. InfoSec is viewed as a hindrance to business agility, and data provided is often untethered to business objectives.
• No accountability. InfoSec has moved to the “assume breach” mentality, in part because it has been historically ineffective at preventing breaches.
• No need to demonstrate efficacy. InfoSec is a “dark art” that motivates too often by fear rather than facts.
We don’t know what better looks like, because we don’t know what matters to the business, and we don’t measure the impact of Information Security on those things that matter. Instead, InfoSec too often attempts to show its value through measurements unmoored from anything the business cares about, and without any historical context. Look how many vulnerabilities we patched! Look at how many spam messages we blocked! Information Security is the provider of security services to the business; as our customer, the business is entitled to understand how those services perform and to demand continuous improvement in efficacy and efficiency. To achieve that level of accountability, we need radical transparency. We need a new model for information security service delivery.
Service level indicators (SLIs) are communicated in real-time to the customer and used to drive prioritization for service improvement
The model I propose is one that cleaves to the Google “Site Reliability Engineering” (SRE) model; I call it, “Security Resilience Engineering.” SRE requires the negotiation of mutually agreeable service level objectives (SLOs) for all security services delivered to the customer and creating an error budget to monitor and manage against. Service level indicators (SLIs) are communicated in real-time to the customer and used to drive prioritization for service improvement. In practice, what this means is that for each security service that the team delivers to its customers, there are defined metrics aligned with business objectives. The customer will always know and understand the performance of the services being delivered; this transparency is a functional requirement for accountability, and thus a continuous maturation of those services.
Continuous improvement requires continuous measurement. So how do we measure what matters? Start conservatively and prioritize. The customer must help define high priority measurements based on risk for each service delivered. These measurements should align with and flow from established processes, which means that your policies and standards—the makeup of your information security management system—must undergird what you are measuring and thus what success looks like. Measuring informal or inconsistent processes will result in garbage data, as will providing metrics that are untethered from business outcomes. The practice of measuring and monitoring must be automated so it doesn’t detract from service delivery efforts.
Once you have run through the process of defining and implementing what successful security service delivery looks like from the customer perspective for each service, you generate a baseline performance view. This may indicate that your SLOs need to be adjusted to account for reality. For example, the volume of DLP alerts could make a 15-minute SLO impossible to achieve for your incident response team, and your error budget will be consumed immediately (rendering it impossible to devote the necessary resources for service improvement). You will likely find that SLOs must be balanced across your different services so that your service portfolio can coexist successfully as a whole. This illustrates why bilateral negotiations on expectations and delivery between customer and provider is critical. The customer will understand prioritization of delivery between different services, which should align to business objectives; this in turn should translate naturally into SLO adjustments across the service portfolio.
Technology in general--and security as a specialty practice area--is composed of people, processes, and technology. As a practice, InfoSec generally leans into the people and technology aspects. Spending resources on your people and technology is admittedly more fun than developing and continuously refining your processes. However, if you do not apply rigor and success criteria to security, you can only be accidentally successful. Security cannot be ad-hoc if the goal is to consistently drive positive business outcomes. To adopt the SRE model for Information Security service delivery is to fundamentally rethink the relationship InfoSec has with the business. It is an approach where we must measure what matters most and be radically transparent with our customers. This approach is both liberating and terrifying— liberating because it provides a fact-based framework that will illustrate clearly where Information Security is delivering business value and terrifying because it provides a fact-based framework that will illustrate clearly where Information Security is not delivering business value. Your position on the continuum between liberation and terror is dependent on how you have approached service delivery in the past.
Now is the time for Information Security to transform itself into a business-enabler. To obtain a seat at the table, it is critical that InfoSec is viewed as a partner by the business. To do so, InfoSec must demonstrate that it provides value and is not merely a cost center. This means speaking the language of the business and embracing the role of a security service provider. It means leading in terms of radical transparency and the accountability that it enables. It means measuring what matters.