NIST hopes to create cybersecurity metrics community

The National Institute of Standards and Technology (NIST) is calling for the creation of a Community of Interest (CoI) for those interested in information security measurement to work together to share expertise, refine the body of knowledge and resources, and identify opportunities for growth and improvement.

In the wake of sharing an initial public draft of two sets of best practices for first determining what metrics to collect and how to implement ways to collect them, NIST is now asking for public feedback on these drafts as part of an effort to build a larger community. The first defines a flexible approach to the development, selection, and prioritization of information security measures based on both quantitative and qualitative metrics that can be modeled and analyzed. The second defines a methodology for developing and implementing a structure for an information security measurement program.

Measuring the effectiveness has always been problematic because it involves attempting to prove a negative. In the absence of a breach, cybersecurity is deemed successful. When the inevitable breach occurs the issue quickly becomes how quickly can cybersecurity teams limit the damage. Most cybersecurity teams have implemented some type of layered defense to limit the potential blast radius of a breach.

Now, however, business leaders are asking cybersecurity to quantify the level of cybersecurity risk the organization faces to better determine what the actual level of investment is required. Business executives may not know much about cybersecurity, but they are able to assess risks to the business. Cybersecurity, from their perspective, is just one of many risks to the business that need to be evaluated. Just as critically, business leaders want to know if previous investments made in cybersecurity had any meaningful impact on reducing the level of risk faced.

The challenge is that metrics that cybersecurity teams track today don’t always easily correlate to a risk that business leaders will appreciate. Rather than each cybersecurity team trying to define a set of metrics they hope business leaders might understand, NIST is calling on the cybersecurity community to collaboratively define those metrics.

Naturally, it’s going to be difficult for any cybersecurity team to devote time and resources to these types of efforts. Most cybersecurity teams are hard-pressed to respond to existing threats. Spending time on defining a set of metrics for evaluating returns on investment (ROI) in cybersecurity feels a lot like an exercise in documenting the self-evident when everyone knows breaches can have catastrophic consequences. Alas, the ROI in cybersecurity is anything but obvious to business leaders who often feel little progress is being made despite years of ongoing investment.

Of course, the one thing that business leaders have consistently failed to appreciate is how the tactics and techniques used by cybercriminals continue to evolve. Every time an organization implements a set of tools and practices to thwart one type of attack it’s not long before cybercriminals shift tactics yet again. Cybersecurity isn’t some static goal that can be achieved and maintained. Rather, it’s a constantly shifting battle that, over time, will require the funding of new types of weaponry to successfully wage.