Page 65 - Cyber Defense eMagazine - November 2017
P. 65

MEASURING SUCCESS IN CYBER SECURITY


               IS NO NEWS GOOD NEWS WHEN IT COMES TO CYBER SECURITY IN YOUR

               BUSINESS? WHAT ARE THE HALLMARKS OF EXCELLENCE IN THIS FIELD?



               Phil Cracknell, Chief Information Security Officer (CISO) at Homeserve, is speaking alongside
               senior public and private sector figures at the 16 November Cyber Security Summit in London,
               shining a spotlight on the challenges facing Cyber Security practitioners.

               He  is  keen  to  bring  focus  onto  the  lack  of  quantification  in  Cyber  Security,  pointing  out  that
               “What good  looks  like  is  becoming  increasingly  important”,  and  as  such,  the  ability  to  define
               what construes “good” Cyber Security takes priority.

               Phil  has  long  made  strides  in  developing  co-operation  between  CISOs  with  a  number  of
               purposes, one of which is the quantification of Cyber Security standards. Initially focusing on
               “anonymous surveys of CISO’s to fill the void of information regarding breaches”, this work has
               since evolved into The Metrics Project.

               The Metrics Project focuses on defining the mechanisms and language used to measure the
               effectiveness of Information Security, with over 50 UK CISO’s involved. As the collective work of
               over 350 CISO’s over its current lifespan and purposely avoiding vendors and analysts thus far,
               the  Metrics  Project  focuses  on  developing  something  that  will  deliver  true  value  to  the
               businesses of those involved, in Phil’s words – “By the CISO, for the CISO.”



               Measuring and validating


               Phil  emphasised  the  role  of  metrics  as  “very  much  the  key  to  our  future”  in  measuring  and
               validating the effectiveness of Cyber Security. “Businesses are waking up to the fact that they
               need metrics and risk indicators that our board, audit committees and non-executive directors
               are able to understand.”

               Promoting  a  “report  what  you  should,  not  what  you  can”  mind-set  from  organisations,  Phil
               suggests metrics have the ability to affect business practice in a number of ways. Metrics can
               demonstrate  effectiveness,  measure  exposure  and  agility,  test  organisation  culture,  pinpoint
               responsibilities  and  highlight  levels  of  investment”,  all  of  which  provide  a  great  insight  into  a
               sector and tangible, measurable indicators of Cyber Security suitability.










                   65    Cyber Defense eMagazine – November 2017 Edition
                         Copyright © 2017, Cyber Defense Magazine,  All rights reserved worldwide.
   60   61   62   63   64   65   66   67   68   69   70