As individuals and organizations become more conscientious about cybersecurity, the question arises of how to measure the effectiveness of cybersecurity programs and departments. Beyond the obvious metric of “no breach has occurred,” what are some other ways to measure the realm of cybersecurity?
In his blog, Robert Carey, the Navy’s CIO, added his voice to the growing debate. First and foremost, he believes the network needs to be appropriately defined, and include software-based definitions as opposed to more traditional “data calls” approach. Once that is completed, he advocates for the following measures: “We should define a set of metrics that would increase leadership’s awareness of network, application and infrastructure components; allow for risk-based assessment; and inform their view of mission success.”
The State Department has already begun to move toward a metrics-based cybersecurity approach. John Streufert, chief information security officer at the Department of State, discussed the progress of the metrics-based program earlier this year. He said they were able to better secure their networks, reducing risk by 89 percent for domestic sites and 90 percent for State Department sites abroad.
Understanding, measuring and ensuring the resiliency, security and readiness of the military’s networks is essential for the conduct of military operations. The U.S. military is an incredibly high-tech and networked force that relies heavily on technology for operations. Recently, the U,S, military disclosed that UAV drone video feeds were penetrated by insurgents in Iraq. The need for clearly defined and useful metrics would go a long way toward building the U.S. capacity to conduct operations without worrying about the security of its information.
According to Carey, “The bottom line is that we need to start to more centrally measure and evaluate the performance of this information management engine and take appropriate actions (invest) as necessary.”