When Successful Security Measures Are Taken For Granted

When information security controls consistently protect networks, systems or applications, then there is the risk that the defenses they provide might be taken for granted. The executives might wonder, “We haven’t had any breaches in recently. Why do we need a CISO?” Home users might muse, “Why do I need an antivirus tool if I’ve been malware-free for months?”

How might we preclude information security successes from leading organizations and individuals towards complacency? How can we make sure that the safeguards continue to be valued by their beneficiaries?

One way to mitigate the risk that the security measures will be taken for granted is to collect meaningful metrics that show that the safeguards are active and provide value. Determining what metrics to collect and how to do it is hard, and a good way to start learning about this topic might be Andrew Jaquith’s iconic book Security Metrics: Replacing Fear, Uncertainty, and Doubt.

The makes of computer security products also need to remind users that the product is active and providing value. The challenge is to do this without annoying the user with frequent and irrelevant prompts. Some of the tools I’ve seen accomplish this by presenting the user with periodic activity reports, summarizing the number of blocked intrusion or infections attempts. Though the numbers in such reports are rarely meaningful for people, they act as reminders that the system is being protected.

Both metrics and activity reports can be an opportunity to not only show that safeguards are in place, but also help the audience judge whether the controls are in need of tuning. This might also be a chance to educate the audience how to improve security posture even further.

For instance, an antivirus tool might report on the number of times the user clicked links embedded in email messages and explain the risks of this behavior. This would allow the product to not only remind the user that the protection is active, but also provide additional value through education. A CISO might show an increased percentage in security patch coverage in a given department, using it as an opportunity to gain support for expanding the program to other groups.

Hand-picked related posts:

Lenny Zeltser

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more