The document discusses using peer pressure and metrics to improve security key performance indicators (KPIs). It proposes focusing metrics on policy exceptions, which introduce risk. Tracking exceptions over time and comparing across business units can incentivize reducing exceptions. The approach took about six months to implement due to constant communication with business units and documentation. Future metric candidates proposed are virus offenders by business unit and Windows 7 deployment rates with encryption enabled.

1. From The Pillory To The Joneses
Using Peer Pressure To Improve Your Security KPIs
Bob Rudis & Albert Yin
Mini-Metricon 6.5
February 27, 2012
Thursday, January 24, 13 1

2. Thursday, January 24, 13 2

3. http://www.historicalstockphotos.com/images/xsmall/1971_people_locked_in_a_pillory_while_awaiting_witch_trials.jpg
Used With Permission
Thursday, January 24, 13 2

4. Thursday, January 24, 13 3

5. http://gentlemanredux.com/blog/2011/11/24/keeping-up-with-the-joneses/
Used With Permission
Thursday, January 24, 13 3

6. Thursday, January 24, 13 4

7. I know you all know this…
Thursday, January 24, 13 4

8. Thursday, January 24, 13 5

9. But, it’s worth repeating…
Thursday, January 24, 13 5

10. Thursday, January 24, 13 6

11. Metrics are supposed to be…
Thursday, January 24, 13 6

12. Thursday, January 24, 13 7

13. Getty Images :: “Comping” & Preview Use License
Thursday, January 24, 13 7

14. Thursday, January 24, 13 8

15. NBC News Footage :: Fair Use
Thursday, January 24, 13 8

16. How To Pick An Area Of Focus
Thursday, January 24, 13 9

17. How To Pick An Area Of Focus
Do you even have data for it?
Thursday, January 24, 13 9

18. How To Pick An Area Of Focus
Do you even have data for it?
Is that data easy to get on a regular basis?
Thursday, January 24, 13 9

19. How To Pick An Area Of Focus
Do you even have data for it?
Is that data easy to get on a regular basis?
Can you trust the data?
Thursday, January 24, 13 9

20. How To Pick An Area Of Focus
Do you even have data for it?
Is that data easy to get on a regular basis?
Can you trust the data?
Is it an area you can measure consistently over time?
Thursday, January 24, 13 9

21. How To Pick An Area Of Focus
Do you even have data for it?
Is that data easy to get on a regular basis?
Can you trust the data?
Is it an area you can measure consistently over time?
Is it actually going to help reduce risk in your
environment?
Thursday, January 24, 13 9

22. Candidate #1 : Policy Exceptions
Thursday, January 24, 13 10

23. Candidate #1 : Policy Exceptions
We (Enterprise Security) controlled the process & data
Thursday, January 24, 13 10

24. Candidate #1 : Policy Exceptions
We (Enterprise Security) controlled the process & data
Policy exceptions inherently introduce risk into the
environment, hence a great target to focus on
Thursday, January 24, 13 10

25. Original
Thursday, January 24, 13 11

26. Original
S S
(Mostly) L E
T H
O R
W
Thursday, January 24, 13 11

27. Thursday, January 24, 13 12

28. “So what?”
Thursday, January 24, 13 12

29. Thursday, January 24, 13 13

30. No consequences…
Thursday, January 24, 13 13

31. Thursday, January 24, 13 14

32. Thursday, January 24, 13 14

33. New & Improved
Thursday, January 24, 13 15

34. New & Improved
Thursday, January 24, 13 15

35. New & Improved
Comparison
Over Time
Thursday, January 24, 13 15

36. New & Improved
Comparison
Over Time Aligned To
Risk
Thursday, January 24, 13 15

37. New & Improved
Thursday, January 24, 13 16

38. New & Improved
Thursday, January 24, 13 16

39. New & Improved
Show The Trend!
Thursday, January 24, 13 16

40. New & Improved
Show The Trend!
Focus On Risk!
Thursday, January 24, 13 16

41. New & Improved
Show The Trend!
Focus On Risk!
Thursday, January 24, 13 16

42. New & Improved
Show The Trend!
Focus On Risk!
Thursday, January 24, 13 16

43. Thursday, January 24, 13 17

44. Thursday, January 24, 13 18

45. http://www.geograph.org.uk/photo/630105
Attribution-NonCommercial-ShareAlike 2.0 Generic (CC BY-NC-SA 2.0)
Thursday, January 24, 13 18

46. Thursday, January 24, 13 19

47. http://hyperboleandahalf.blogspot.com/
Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License
Thursday, January 24, 13 19

48. What Did It Take?
Thursday, January 24, 13 20

49. What Did It Take?
~6 months
Thursday, January 24, 13 20

50. What Did It Take?
~6 months
Constant contact with SBUs
Thursday, January 24, 13 20

51. What Did It Take?
~6 months
Constant contact with SBUs
Tons of documentation
Thursday, January 24, 13 20

52. What Did It Take?
~6 months
Constant contact with SBUs
Tons of documentation
Senior management visibility & support
Thursday, January 24, 13 20

53. What are next candidates?
Thursday, January 24, 13 21

54. What are next candidates?
Repeat virus offenders per-SBU, per-month
Thursday, January 24, 13 21

55. What are next candidates?
Repeat virus offenders per-SBU, per-month
“So what?” => What are these folks doing to keep
getting infected? Do the infected users handle/have
access to sensitive data? (Loss of Integrity/
Confidentiality)
Thursday, January 24, 13 21

56. What are next candidates?
Thursday, January 24, 13 22

57. What are next candidates?
# Windows 7 Systems Deployed &
% With Encryption Enabled (per SBU)
Thursday, January 24, 13 22

58. What are next candidates?
# Windows 7 Systems Deployed &
% With Encryption Enabled (per SBU)
“So what?” => Primary Concern Of Corporate Legal &
OCC (safe harbor loss); Doing a migration to Win 7 and
off of competing technology at same time
Thursday, January 24, 13 22

59. What are next candidates?
Thursday, January 24, 13 23

60. What are next candidates?
Internet-facing Vulnerability/Pen-test Metrics
(per SBU)
Thursday, January 24, 13 23

61. What are next candidates?
Internet-facing Vulnerability/Pen-test Metrics
(per SBU)
“So what?” => For us, Board-level initiative
Ref: CIS Security Metrics – Quick Start Guide : https://
benchmarks.cisecurity.org/en-us/?
route=downloads.form.metrics_guide.100
Thursday, January 24, 13 23

62. Bob Rudis Albert Yin
bob@rud.is albert.yin@libertymutual.com
@hrbrmstr @maximumyin
Thursday, January 24, 13 24