Chapter 10

Establishing a Metrics Management System

Abstract

This chapter is designed to provide basic guidance necessary for the development of a metrics methodology to understand what, why, when, and how a cyber security program can be measured. Using a fictitious corporation and functions that were previously described, a metrics system will be developed. The chapter includes a discussion of how to use the metrics to brief management, justify budget, and use trend analyses to develop a more efficient and effective cyber security program.

Keywords

Corporate information officer (CIO); Cost-avoidance metrics; Cyber security program metric; Education and awareness training program (EATP); Metrics charts; Metrics management; Project chart; Stand-alone microcomputers

Don’t work harder—work smarter

Ken Blanchard

Chapter Objective
This chapter is designed to provide basic guidance necessary for the development of a metrics methodology to understand what, why, when, and how a cyber security program can be measured. Using a fictitious corporation and functions that were previously described, a metrics system will be developed. The chapter includes a discussion of how to use the metrics to brief management, justify budget, and use trend analyses to develop a more efficient and effective cyber security program.

Introduction

Some of the most common complaints cyber security officers make are that management doesn’t support them and—as the famous comedian Rodney Dangerfield is known for saying—“I get no respect.” Another complaint is that the costs and benefits of a cyber security program cannot be measured.
As for the first two, you get support, because you are being paid—and these days, more often than not, quite handsomely—and you have a budget that could have been part of corporate profits. Furthermore, respect is earned. Besides, if you want to be popular, you are definitely in the wrong profession.
One often hears management ask:
• “What is all this security costing me?”
• “Is it working?”
• “Can it be done at less cost?”
• “Why isn’t it working?”
That last question often comes right after a successful denial-of-service attack or some other attack on the corporate systems or Web sites. Of course, many cyber security officers respond by saying that it can’t be measured. That is often said out of the cyber security officer’s ignorance of processes to measure costs or because the cyber security officer is too lazy to track costs.
The more difficult question to answer is, “What are the measurable benefits of a cyber security program and the functions that provide support under the cyber security program?” Of course, one could always use the well-worn-statement, “It can be measured only as a success or failure depending on whether or not there have been successful attacks against our systems.” The truth is that many attacks go unnoticed, unreported by the users or information technology (IT) people. Furthermore, separating attacks from “accidents” (human error) is usually not easy; however, metrics can help in the analyses.

What Is a Metric?

To begin to understand how to use metrics to support management of a cyber security program, it is important to understand what is meant by “metrics.” For our purposes, a metric is defined as a standard of measurement using quantitative, statistical, and/or mathematical analyses.

What Is a Cyber Security Program Metric?

A cyber security program metric is the application of quantitative, statistical, and/or mathematical analyses to measure cyber security program functional trends and workload—in other words, tracking what each function is doing in terms of level of effort (LOE), costs, and productivity.
There are two basic ways of tracking costs and benefits. One is by using metrics relative to the day-to-day, routine operations of each cyber security program function. These metrics are called LOE and are the basic functions noted in the cyber security officer’s charter of responsibilities and accountabilities. Examples would be daily analyses of audit trail records of a firewall, granting users access to systems, and conducting noncompliance inquiries. In more financial terms, these are the recurring costs.
The other way of tracking costs and benefits is through formal project plans. In other words, if the tasks being performed are not the normal LOE tasks, then they fall under projects. Remember that functions are never-ending daily work, while projects have a beginning and ending date with a specific objective. In more financial terms, these are the nonrecurring costs.
So, to efficiently and effectively develop a metrics management program, it is important to establish that philosophy and way of doing business. Everything that a cyber security officer and staff do can be identified as fitting into one of these two categories: LOE or project.

What Is Cyber Security Program Metrics Management?

Cyber security program metrics management is the managing of a cyber security program and related functions through the use of metrics. It can be used where managerial tasks must be supported for such purposes as backing the cyber security officer’s position on budget matters, justifying the cost-effectiveness of decisions, or determining the impact of downsizing on providing cyber security program service and support to customers.
The primary process to collect metrics is as follows:
• Identify each cyber security program function1;
• Determine what drives that function, such as labor (number of people or hours used), policies, procedures, and systems; and
• Establish a metrics collection process. The collection process may be as simple as filling out a log for later summarization and analysis. The use of a spreadsheet that can automatically incorporate cyber security program statistics into graphs is the preferred method. This will make it easier for the cyber security officer to use the metrics for supporting management decisions, briefings, etc.
The decision to establish a process to collect statistics relative to a particular cyber security program function should be made by answering the following questions:
• Why should these statistics be collected?
• What specific statistics will be collected?
• How will these statistics be collected?
• When will these statistics be collected?
• Who will collect these statistics?
• Where (at what point in the function’s process) will these statistics be collected?
By answering these questions for each proposed metric, the cyber security officer can better analyze whether a metrics collection process should be established for a particular function. This thought process will be useful in helping explain it to the cyber security program staff or management, if necessary. It will also help the cyber security officer decide whether he or she should continue maintaining that metric after a specific period of time. Since the corporate cyber security officer had begun with an analysis of cyber security program requirements (drivers) that led to the identification of a cyber security officer charter that led to the identification of cyber security program functions with process flowcharts, the task of developing metrics will be much easier. That is because each step noted in the cyber security program functions’ flowcharts can be a point of quantifying and qualifying costs of performing each specific function.
All metrics should be reviewed, evaluated, and reconsidered for continuation at the end of each year, or sooner—when a requirement changes, a function may also change. Remember that although the collection of the metrics information will help the cyber security officer better manage the cyber security program duties and responsibilities, a resource cost is incurred in the collection and maintenance of these metrics. These resources include:
• People who collect, input, process, print, and maintain the metrics for you;
• Time to collect, analyze, and disseminate the information; and
• The hardware and software used to support that effort.
When using these metrics charts for management briefings, one must remember that the chart format and colors are sometimes dictated by management; however, which type of chart is best for analysis or presentation to management is probably up to the cyber security officer.
The cyber security officer should experiment with various types of line, bar, and pie charts. The charts should be kept simple and easy to understand. Remember the old saying, “A picture is worth a thousand words.” The charts should need very little verbal explanation.
If the cyber security officer will use the charts for briefings, the briefing should comment only on the various trends. The reason for this is to clearly and concisely present the material and not get bogged down in details, which detract from the objective of the charts.
One way to determine whether the message of the charts is clear is to have someone look at each chart and describe what it tells him or her. If it is what the chart is supposed to portray, then no changes are needed. If not, the cyber security officer should then ask the viewer what the chart does seem to represent and what leads him or her to that conclusion. The cyber security officer must then go back to the chart and rework it until the message is clear and is exactly what the cyber security officer wants the chart to show. Each chart should have only one specific objective, and the cyber security officer should be able to state that objective in one sentence, such as “This chart’s objective is to show that cyber security program support to corporate is being maintained without additional budget although the workload has increased 13%.”
The following paragraphs identify some basic examples of cyber security program metrics that can be collected to assist a cyber security officer in managing a cyber security program and briefing the management on the program and the program’s organization. By the way, when establishing a briefing to management in which the metrics charts will be used, a similar chart can be used to start off the briefing. That chart tracks the requirements (drivers) that can be traced to each function. One may also want to provide more detailed charts tracking specific requirements to specific functions.
Of course, as the cyber security officer, you would want to get more specific and track to a more detailed level of granularity. In fact, the cyber security program staff responsible for leading a specific function should be tasked with developing this chart or charts. That way, the staff will know exactly why they are doing what they do. The next step would be for them to track their workflow, analyze it, and find more efficient ways to do the job. At the same time they would also look at current costs and cost savings as more efficient ways are found to successfully accomplish their jobs.
The cyber security officer must remember that metrics are a tool to support many of the cyber security officer’s decisions and actions; however, they are not perfect. Therefore, the cyber security officer must make some assumptions relative to the statistical data to be collected. That’s fine. The cyber security officer must remember that metrics are not rocket science, only a tool to help the cyber security officer take better-informed actions and make better-informed decisions. So, the cyber security officer should never get carried away with the hunt for “perfect statistics,” or become so involved in metrics data collection that “paralysis by analysis” takes place.2
The spreadsheets and graphs used for metrics management can become very complicated, with links to other spreadsheets, elaborate three-dimensional graphics, etc. That may work for some, but the cyber security officer should consider the KISS (keep it simple, stupid) principle when collecting and maintaining metrics. This is especially true if the cyber security officer is just getting started and has no or very little experience with metrics. One may find that the project leads who are developing an “automated statistical collection” application are expending more hours developing the application—which never seems to work quite right—than it would take to manually collect and calculate the statistical information.
It is also important, from a managerial viewpoint, that all charts, statistics, and spreadsheets be done in a standard format. This is necessary so that they can be ready at all times for reviews and briefings to upper management. This standard is indicative of a professional organization and one that is operating as a focused team.
Cyber security officers who are new to the cyber security officer position, or management in general, may think that this is somewhat ridiculous. After all, what difference does it make as long as the information is as accurate as possible and provides the necessary information? This may be correct, but in the business environment, standards, consistency, and indications of teaming are always a concern of management. Your charts are indicative of those things.
The cyber security officer has a hard enough job getting and maintaining management support. The job should not be made more difficult than it has to be.
Another negative impact of nonconformance of format will be that the attendees will discuss the charts and not the information on them. Once “nonconformance to briefing charts standards” is discussed, management has already formed a negative bias. Thus, anything presented will make it more difficult to get the point across, gain the decision desired, and meet the established objective of the briefing.
It is better just to follow the established standards than to argue their validity. It is better to save energy for arguing for those things that are more important. After all, one can’t win, and the cyber security officer does not want to be seen as “a non-team player” more than necessary.
Of course the number, type, collection methods, etc., that the cyber security officer will use will be dependent on the environment and the cyber security officer’s ability to cost-effectively collect and maintain the metrics.

Metrics 1: Cyber Security Program Level of Effort Drivers—Number of Users

There are two basic cyber security program LOE drivers within an organization, that is, those things that cause the cyber security program workload to be what it is, increasing or decreasing. The two basic drivers are:
• The number of systems that fall under the purview of the cyber security program and cyber security officer’s overall responsibility for protection and
• The number of users of those systems.
A question that must be asked is: Why are these metrics worth tracking? They are worth tracking because they drive the cyber security program workload—the LOE—which means they drive the number of hours that the cyber security program staff must expend in meeting their cyber security program responsibilities relative to those systems and users.
As the number of users on the corporate networks changes or the number of systems changes, so does the workload; therefore, so does the number of staff required and the amount of budget required—time to do the job. For example, assume that the corporation is downsizing—a common occurrence that cyber security officers will eventually face in their cyber security program careers. If the cyber security officer knows that the corporation will downsize its workforce by 10%, and assuming that the workforce all use computers, which is not unusual in today’s corporations, the workload should also decrease about 10%. This may cause the cyber security officer to also downsize (lay off staff) by approximately 10%.
However, the downsizing, whether it is more or less than the corporate average, should be based on the related cyber security program workload. The cyber security program drivers are metrics that can help the cyber security officer determine the impact of the corporation’s downsizing on the cyber security program and its organization. The metrics associated with that effort can also justify downsizing decisions to corporate management—to include possibly downsizing by 5 or 12% instead of 10%. For example, more layoffs may mean more cyber security program-related infractions, which means an increase in noncompliance inquiries and thus an increase in the workload. Massive layoffs would also mean more work for those who are responsible for deaccessing employees from the systems prior to employment terminations. The metrics can show this work increase and make a case to management for not laying off cyber security program staff until after the other major layoffs have occurred.

Charting Level of Effort through Number of System Users

As a cyber security officer, you decided that it would be a good idea to use the driver’s metric that is used for tracking the number of system users. You have gone through the analytical process to make that decision based on answering the why, what, how, when, who, and where questions.

Why Should These Statistics Be Collected?

The driver’s metric that tracks the number of system users for which the cyber security officer has cyber security program responsibility is used to assist in detailing the needed head-count budget for supporting those users. As an example, the following functions are charted based on the number of corporate system users:
• Access control violations,
• Noncompliance inquiries, and
• Awareness briefings.

What Specific Statistics Will Be Collected?

• Total users by location and systems and
• Total systems by location and type.

How Will These Statistics Be Collected?

• The total number of users will be determined by totaling the number of user IDs on each network system and adding to it the number of stand-alone systems. It is assumed that each stand-alone system has only one user.
• Stand-alone microcomputers and networked systems (which will count as one system) will be identified and totaled using the approved system documentation on file within the cyber security program organization on the approved systems database. At the corporation, all systems processing sensitive information falling within the categories previously identified at the corporation for identifying information by its value must be approved by the cyber security officer (or designated cyber security program staff members). Therefore, data collection is available through the cyber security program’s records.

When Will These Statistics Be Collected?

The statistics will be compiled on the first business day of each month and incorporated into Metrics 1, cyber security program drivers, graph maintained on the cyber security program department’s administrative microcomputer.

Who Will Collect These Statistics?

The statistics will be collected, inputted, and maintained by the project leaders responsible for each cyber security program function, such as system accesses and system approvals.

Where (at What Point in the Function’s Process) Will These Statistics Be Collected?

The collection of statistics will be based on the information available and on file in the cyber security program organization through close of business on the last business day of the month.
Of course, the number of system users affects all cyber security program functions. Follow-on charts would show the workload relative to the other cyber security program functions that are affected. Bold fonts are used to highlight important facts that the cyber security officer wants to emphasize—management’s eyes are naturally drawn to bold fonts.

Significance of the System Users Chart

The number of system users is also a driver of cyber security program workload because the cyber security program functions’ LOE and some projects are based on the number of users. They include the following:
• The cyber security program staff provides access controls for users;
• The number of noncompliance inquiries will probably increase based on the increased number of users;
• The number of noncompliance inquiries may actually increase when the corporation downsizes because of more hostility among the employees (a metrics chart showing caseload may help in defending cyber security officer staff from more drastic layoffs than may have been required by management);
• The time to review audit trail records will increase as a result of more activity because of more users; and
• The number of awareness briefings and processing of additional awareness material will increase as a result of an increase in users.
Remember that as a cyber security officer you are also a cyber security program “salesperson” and must effectively advertise and market information and systems protection to corporation’s personnel. A chart can be used by the cyber security officer for the following:
• Justify the need for more budget and other resources;
• Indicate that the cyber security program is operating more efficiently, because the budget and other resources have not increased although the number of systems has increased; and
• Help justify why budget and other resources cannot be decreased.
When deciding to develop metrics charts to track workload, efficiency, costs, etc., of that function, always start at the highest level and then develop charts at lower levels (in more detail) that support the overall chart. This is done for several purposes. The cyber security officer may have limited time to brief a specific audience, and if it is an executive management briefing, the time will be shorter, as usually their attention span is short when it comes to cyber security program matters. So, the “top-down” approach will probably work best. If you have time to brief in more detail, the charts are available. If executive management has a question relative to some level of detail, then the other charts can be used to support the cyber security officer statements and/or position in reply to the question of the audience.

Granting Users Access to Systems

A major cyber security program service and support function is to add new users to systems and to provide them new access privileges as directed by their management and information owners.
As part of that service and support effort, the cyber security officer wants to ensure that these users are given access as quickly as possible, because without their access or new access privileges, the users cannot perform their jobs.
If users cannot gain expeditious access, then the cyber security program is costing the corporation in terms of lost productivity of employees or even possibly lost revenue in other forms.
The cyber security officer, in coordination with the cyber security program staff responsible for the access control function, evaluated the access control process and determined that users should be given access within 24 h of receipt of a request from management.
The cyber security officer decided to track this process because of its high visibility. Nothing can damage the reputation of the cyber security officer and staff faster than a hostile manager whose employees cannot get systems access to be able to do their work, leading, for example, to increased costs due to lost department productivity caused by the slowness of accessing employees to systems. To develop a metrics chart, one should first create a flowchart of the function.
Anything worth doing does not have to be done perfectly—at first.

Ken Blanchard

Examples of Other Metrics Charts

There are numerous metrics charts that can be developed to support the various needs of the cyber security officer and the cyber security program. The cyber security officer may also use this information when budget cuts are required. The chart can be shown to management and modified to show what would happen if the staff were cut by one person, two people, etc. In other words, the average users’ initial access to systems in terms of turnaround time would increase. Management may or may not want to live with those consequences. The cost can be quantified by taking the average hourly wage of the employee, identifying how much productivity time is lost with access coming within one business day, and comparing that to time lost if access, because an access control person has been laid off, takes two business days.
For example, an employee earns $15 an hour. The employee shows up at the desk of an access controller at the start of the business day, 8.00am. That employee is authorized system access by 8.00am the next day. This loss of at least 8 h of productivity at $15 an hour would be the normal cost of the cyber security program function of access control, or $120 per employee. However, if the access was not authorized until the day after, the cost per employee would be $240.
The chart can show the cyber security officer where staff cuts can be made and still meet the expected goals. The cyber security officer can also use this information when deciding to reallocate resources (transfer a person) to another function for which the goals are not being met and the fastest way to meet the goals is to add head count. A word of caution here—adding or decreasing head count is usually considered a fast, simple solution. However, it is not always the answer.
Sometimes when the numbers look right the decision is still wrong!

Ken Blanchard and Norman Vincent Peale

Many project leaders and cyber security officers have found over the years that projects and LOE problems are not always solved by assigning more bodies to solving the problem. One should first look at the process and at systemic problems. This is usually a more cost-effective approach to solving these types of problems. For example, using the example of the newly hired employee getting first-time system access, suppose a way was found to cut that time down to 1 h. The costs saving would be from the normal $120 to $15, or a saving of $105 per new employee. Such charts can be used for management briefings and will show specifically how the cyber security officer and staff are lowering cyber security program costs, at least for that particular cyber security program function.
As with all metrics charts, a decision must also be made whether to collect the data monthly, quarterly, semiannually, annually, or somewhere in between. The time period will depend on several factors. These include, but are not limited to:
• What they will be used for, such as monthly or annual executive briefings;
• Budget justifications;
• Cyber security program staff functions resource allocations; and
• The objectives of each chart.
A subchart of this chart may be the average time spent, in hours, per type of inquiry. Once the time elements are known, they can be equated to productivity gains and losses, as well as budget, such as money, equipment, and staff.

Cyber Security Program Tests and Evaluations

The cyber security officer may decide to establish a process that will provide guidelines on the need, establishment, and implementation of metrics charts. The cyber security officer uses a cyber security program function to develop the process—the methodology—with the following results:
• The cyber security program will conduct security tests and evaluations (ST&E) as prescribed by the corporation’s cyber security program policies and procedures.
• Results of the cyber security program ST&E will be charted.
• Each chart will be evaluated to determine whether a pattern/trend exists.
• Patterns/trends will be evaluated to determine how effectively a function is being performed.
• Results and recommendations will be presented, in accordance with cyber security program policies and procedures, to the applicable managers.
Another cyber security program function that provides opportunities for using metrics management techniques is the function of the cyber security program ST&E.
The cyber security officer may consider a reallocation of staff because of the increased workload. Also to be considered is whether to change the ST&E process. One consideration is to conduct fewer ST&E. If one does that, it would be important to monitor the number of noncompliance inquiries, as they may go up. For example, fewer ST&E may result in increased systems vulnerabilities, which may in turn lead to more successful attacks and thus to more noncompliance inquiries. Another factor the cyber security officer may consider is doing more ST&E using automated cyber security program software to replace some currently manual testing.
One can also consider providing training to department staff so they can do their own ST&E and provide reports to the cyber security officer. This is usually not a good idea, as the objectivity of the testing may be questionable. For example, they may find vulnerabilities but not report them, because they do not want to incur the costs in time and budget to mitigate the risks identified by these vulnerabilities. In addition, as far the corporation as a whole is concerned, one is only passing on the costs in terms of allocation of resources to conduct the ST&E to another department and not decreasing overall cyber security program costs.
Remember that the corporation is a global corporation with plants and offices on three continents. Since the cyber security officer has overall cyber security program and cyber security program functional responsibility for all locations, a process must be put in place for metrics management at all locations. The cyber security program–cyber security program functional leads at all the locations would provide the statistics and charts for their locations. These statistics would be indicators for establishing cyber security program functional resource allocations based on the “worst” locations.
The issue that will often come up when designing charts is what type of charts to use—bar, line, pie, etc. The choice should be to use the format that meets the chart’s objective in the most concise and clear way.

Cyber Security Program Education and Awareness Training

The cyber security program’s education and awareness training program (EATP) is one of the major baselines of the cyber security program. It follows that it is an integral part of the cyber security officer’s cyber security program organization. It doesn’t matter whether briefings, training, and such are given by a cyber security program staff member, the corporate training office, the Director of Security’s security training personnel, Human Resources new-hire briefings, or a combination of any of these. It is a cyber security program, and therefore a cyber security program cost, and it should be metrics-managed.
Let’s assume that to be somewhat cost-effective, the goal is to have at least 15 employees on average attend each briefing. That being the case, this metrics chart or another like it would show not only the number of briefings and the total attendees, but also the average number of attendees per briefing. In addition, a straight line could be included at 15 so that the average attendees per briefing can easily be compared against the goal of 15 employees per briefing.
If the goal was not being reached, as the cyber security officer, you might want to discuss the matter with your cyber security program leader for the EATP. Certainly if the goal is not being met, you can’t, and obviously shouldn’t, ignore it. There is nothing worse than setting a goal, metrics managing to attain that goal, and then ignoring it when it is not being met. Furthermore, as a cyber security officer you shouldn’t just wait until the end of the year to attempt to correct the matter in a discussion with your EATP lead and then zap that person in his or her year-end performance evaluation.
Let us assume that employees must attend an annual briefing relative to the cyber security program and their duties and responsibilities. Assume that they prepare to attend the briefing and walk to the briefing room and that that takes 15 min. They attend a 1-h briefing and return to their place of work, for a total time of 90 min. At an average employment rate of $15 per hour, each employee’s time (and lost productivity, since they are not performing the work for which they were hired) for the annual briefing is $22.50. Let’s also suppose that the corporation employs 100,000 people worldwide and all of them must attend the annual briefing. That means that the annual briefing program, excluding the time the cyber security program specialist takes in preparing the updated material each year and other expenses, costs an astounding $2,250,000!
One can argue that the briefings are necessary, they save money in the long run because valuable corporation is protected, and all that. However, that does not change the fact that this is a rather costly program. In fact, there is no indication that the cost–benefits have ever been validated. Yet, every cyber security officer knows that employee awareness of the threats, vulnerabilities, and risks to information and information systems is an absolute necessity. So, what can be done to lower the cost of such a program?
Using the project team approach, the cyber security officer should establish a project team to look at the costs, benefits, and risks of not having an annual briefing and other methods for providing awareness to employees. Possibly the use of e-mails, online briefings, and other electronic means could eliminate the need for the employees to physically attend a briefing. Possibly briefings could be eliminated or online bulletins used.

Cost-Avoidance Metrics

As a cyber security officer, you may want to use the metrics management approach to be able to quantify the savings of some of your decisions. For example, when analyzing your budget and expenditures, you note that a major budget item is travel costs for your staff. This is logical, because staff, as well as you, must travel to the various corporate offices to conduct cyber security program tests and evaluations.
Again, using the project management approach, you lead a project team of yourself, staff members, and representatives from the contract office and the travel office. Your goal is to find ways to cut travel costs while still meeting all the cyber security program’s and your charter’s responsibilities. A representative from the contract office will advise the project team on contractual obligations and ways in which they can be met with less travel, but without violating the terms of the contracts. The travel office will give advice on ways to cut travel costs. For example, because many trips are known well in advance, flights and hotels can also be booked in advance.

Metrics Management and Downsizing

All cyber security officers at one time or another in their careers face the need to downsize—that is, lay off, fire, or terminate—cyber security program staff. However, if you are operating at peak efficiency and have not built any excess staff into meeting your charter responsibilities, you may be able to make a case for not terminating staff or for terminating fewer personnel.
Many managers, and cyber security officers are no exception, tend to forget that they are hired to do a job, and that job is not to build an “empire” or bureaucracy. The key to success is getting the job done efficiently and effectively—as we said before, good and cheap. In addition, the more staff members and the larger the budget you have, the more people problems you will have and the harder the financial people will try to take some of your budget. So you are constantly battling to maintain your large budget.
If, on the other hand, you have a small staff and a smaller budget, you have a better chance of protecting what you have, because it is the minimum needed to get the job done. That approach coupled with metrics management techniques and periodic briefings to executive management will help you continue to get the job done as you deem appropriate, even though other organizations are losing staff.
Let’s look at some figures showing various ways of presenting information based on metrics management’s data collection efforts:
Another chart that is important for briefing management is one that shows the LOE versus the hours available for the cyber security program staff. The difference between LOE and time available can be shown to be part of a briefing on work backlog or used to show the difference in overtime being worked. A subchart may show details on the amount of backlog and its impact on the cost of doing business. It can also show the overtime costs being paid and perhaps a comparison of that cost with the cost of hiring one or more additional staff. Seeing this comparison would help in making decisions as to which is cheaper, paying overtime or hiring more staff.
These charts must also be accompanied by others showing productivity and drivers of workload, as in some of the charts shown earlier. This is necessary because management will ask why you must do the things you do and why you must do them in the way you are doing them. This quest for productivity and efficiency gains will be a constant chore for the cyber security officer. It is a challenge, but one that can be supported by metrics charts.
Layoffs are a fact of life in business, and metrics charts can help the cyber security officer justify head count and work, as shown by some of these charts. The chart can show measurement in terms of head count or hours that are equivalent to head count.
Generally, when management decides to cut costs, they lay off employees as the easiest method. They also usually direct each manager to cut a certain percentage of staff, say, 20%. However, although this may be the easiest way, it is not the best way; sometimes it would be cheaper to keep some of the staff, because their loss causes delays costing millions of dollars worth of production, sales, etc. As we all know, executive management often takes a short-term, “what’s in it for me now” approach to managing their parts of the business.
Metrics management can help the cyber security officer plead the case to not cut 20% of staff. One word of caution: The cyber security officer should do this objectively and based on providing effective and efficient service and support to the corporation’s departments. It should never, ever be based on keeping a large staff and bureaucracy for the sake of status, power, ego, or other nonbusiness reasons.
The cyber security officer would include information relative to the impact of both the corporation’s directed layoff numbers and those of the cyber security officer. This must be objectively done based on a business rationale. This information would include the following, identified as increasing the level of risks to information and information systems:
Contingency planning: Contingency, emergency, and disaster recovery testing and plan updates will be delayed. The result will be anything from no impact to not being able to effectively and efficiently deal with an emergency.
Awareness program: Employees may not be aware of their responsibilities, thus leaving the systems open to potential attack or an increase in the potential for the loss of sensitive information.
Access violations analyses: There will be delays of between 48 and 72 h in the analyses of audit records. Thus, an attack against corporate systems would not be known for at least 48–72 h. During that period, information could be stolen. However, something like a denial-of-service attack would be known when it was successful. The opportunity to identify the initial attempts at these attacks over a period of time would be lost, and with it the chance to mount defenses before the attacks were successful. The result will be systems, possibly production systems, that are down for an unknown period of time.
Noncompliance inquiries: The average time it would take to complete an inquiry would increase by more than 2 weeks. Thus, no action to adjudicate the alleged infraction would be possible until the report was delivered to management. Furthermore, the alleged infraction may have called for the revocation of system privileges of the employee or employees who are the subject of the inquiry. Thus, their ability to be productive employees during that time would be negated.
Access control: It is assumed that the number of new employees hired would be drastically reduced, and that could mitigate some of the LOE expended by the access controllers. However, employees requiring changes in privilege would have those access changes delayed an additional 48–72 h from the present average of 8–12 h. This may adversely affect their productivity. To allow departments to do their own employees’ privilege changes was evaluated under a previous project and found not to be realistic: The information to which the employees needed access did not belong to that department; most often it belonged to another information owner. These information owners did not want others to access their information without their approval. In addition, this change would just be transferring the costs and would not save the corporation any additional resources.
The foregoing is a small example of how metric management techniques can be used when the need for budget cuts occurs. The example provides some insight into how metric management techniques help mitigate the risks of budget and staff downsizing when such downsizing will hurt the cyber security program and the corporation. Metric management techniques can help the cyber security officer make a case to executive management. Furthermore, if the cyber security officer, supported by the metric management approach, has been periodically briefing management of the cyber security program and the cyber security officer’s projects and LOE, the cyber security officer will have gained the confidence of management as a reliable manager who gets the job done as efficiently and effectively as possible.

Project Management

As previously discussed, there are two basic types of work performed by the cyber security officer and staff: (1) LOE and (2) projects. We have discussed LOE and have provided some examples of process and metrics flowcharts relative to LOE.
It has been stated several times, but bears repeating: Projects are established when some tasks related to the cyber security program and/or its functions must be completed but they are not ongoing tasks. It is imperative that the cyber security officer be intimately familiar with and experienced in project management—as well as time management.
Remember that whether or not some task should be a project depends on whether it has the following:
• A stated objective (generally in one clear, concise, and complete sentence),
• A beginning date,
• An ending date,
• Specific tasks to be performed to successfully meet that objective,
• A project leader, and
• Specific personnel to complete each task and the time period in which the task will be completed.
Let’s assume that the corporate information officer (CIO) sent a memo to the cyber security officer based on a conversation that the CIO had with the Director of IT. It seems that they had a meeting and during the meeting the discussion turned to IT projects related to their projects of upgrading systems, such as hardware, software, and their general maintenance. The cyber security program policy called for such upgrades and maintenance efforts to ensure that the information environment is maintained in compliance with the requirements set forth in the cyber security program. The Director stated that the IT staff didn’t know if that was always the case when they made changes to systems. Consequently, the Director suggested that members of the cyber security officer’s organization be part of the IT project teams with responsibility for determining whether the changes kept the corporation’s information environment secure. The CIO agreed and sent the cyber security officer a letter to that effect. When the cyber security officer received the memo, the cyber security officer discussed the matter with the Senior Systems Security Engineer. It was decided that a project be developed to establish a process and function to comply with the request from the CIO and Director of IT.
As a cyber security officer, you should be able to identify several issues that the cyber security officer must resolve apart from initiating this project. First, the Director of IT and the cyber security officer should be working closely together, and by doing so, they could have dealt with this matter without involving their boss, the CIO. In addition, the fact that the CIO sent a memo to the cyber security officer, instead of calling or meeting personally with the cyber security officer, indicates that the communication and working relationship between the CIO and the cyber security officer must be improved. The cyber security officer must take action to immediately begin improving the communication and relationship with the Director and the CIO.
A project chart should include the following:
Subject: The project name—Security Test and Evaluation Function Development
Responsibility: The name of the project leader—John Doe, cyber security program Senior Systems Security Engineer.
Action Item: What is to be accomplished—IT requires cyber security officer support to ensure that information and systems protection are integrated into IT systems’ integration, maintenance, and update processes.
References: What caused this project to be initiated—for example, “See memo to cyber security officer from CIO, dated November 2, 2002.”
Objective(s): State the objective of the project—Maintain a secure information environment.
Risk/Status: State the risk of not meeting the objective(s) of this project—Because of limited staffing and multiple customer projects being supported, this project may experience delays as higher priority LOE and projects take precedence.
Activity/Event: State the tasks to be performed, such as “Meet with IT project leads.”
Responsibility: Identify the person responsible for each task. In this case, it is the Senior Systems Security Engineer, John Doe.
Calendar: The calendar could be a year-long, monthly, quarterly, or 6-month calendar with vertical lines identifying individual weeks. Using the 6-month calendar, the project lead and assigned project team members would decide what tasks had to be accomplished to meet the objective. Arrows and diamonds, for example, identified in the legend, would be used to mark the beginning and ending dates of each task. The arrows are filled in when the task is started and when the task is completed; the diamonds are used to show deviations from the original dates.
Risk—Level: In this space, each task is associated with the potential risk that it may be delayed or cost more than allocated in the budget for the task. Using “high,” “medium,” or “low” or “H”, “M”, or “L”, the project lead, in concert with the person responsible for the task, assigns a level of risk.
Risk—Description: A short description of the risk is stated in this block. If it requires a detailed explanation, that explanation is attached to the project plan. In this block the project lead, who is also responsible for ensuring that the project plan is updated weekly, states “See Attachment 1.”
Issue Date: The date the project begins and the chart initiated goes in this block.
Status Date: The most current project chart date is placed here. This is important because anyone looking at the project chart will know how current the project chart is.
Other types of charts can also be developed to show project costs in terms of labor, materials, and the like. A good, automated project plan software program is well worth the costs for managing projects.
In the case of project charts, the cyber security officer can use them to brief management relative to the ongoing work of the cyber security program organization and states of the cyber security program. The cyber security officer receives weekly updates on Friday morning in a meeting with all the cyber security officer’s project leaders, during which each project lead is given 5 min to explain the status of the project—for example, “The project is still on schedule” or “Task No. 2 will be delayed because the person assigned the task is out sick for a week; however, it is expected that the project completion date will not be delayed because of it.”
The cyber security officer holds an expanded staff meeting the last Friday of each month. All assigned cyber security program personnel attend these meetings, which last 2–3 h. At these meetings, 1 h is taken for all project leads and cyber security program functional leads to brief the status of their LOE and projects to the entire staff. The cyber security officer does this so that everyone in the organization knows what is going on—a vital communications tool. Also during this time, other matters are briefed and discussed, such as the latest risk management techniques, conferences, and training available.

Questions to Consider

Based on what you have read, consider the following questions and how you would reply to them:
• Do you use formal metrics management techniques?
• If not, why not?
• If so, are they used to brief management?
• Are each of your cyber security program functions documented, not only in work instructions but also in process flowcharts?
• Do you use similar charts to document the cyber security program functional LOE?
• What other charts would you develop for each of the cyber security officer functions?
• Do you have at least one metrics chart to track the costs of each cyber security program function?
• How would you use metrics management charts to justify your budget requests?
• How would you use metrics management charts to justify the number of your staff?
• How many charts, by function and description, would you want to use as a cyber security officer?

Summary

Metrics management techniques will provide a process for the cyber security officer to support cyber security program- and cyber security program-related decisions. The cyber security officer should understand the following points:
• Metrics management is an excellent method to track cyber security program functions related to LOE, costs, use of resources, etc.
• The information can be analyzed, and results of the analyses can be used to:
Identify areas where efficiency improvements are necessary;
Determine effectiveness of cyber security program functional goals;
Provide input for performance reviews of the cyber security program staff (a more objective approach than subjective performance reviews of today’s cyber security officers); and
Indicate where cyber security program service and support to the corporation requires improvement, meets its goals, etc.

1 It is assumed each function costs time, money, and use of equipment to perform.

2 Dr. Gerald L. Kovacich has used approximately 47 metrics charts at various times to assist in managing several large cyber security programs and cyber security program organizations.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.146.221.231