CSO

Security executives require evidence to justify their risk management investments, and there's a big appetite for more ways to get that evidence.

Two companies say they have heard that plea and unveiled efforts in the last week to make it easier for CSOs and other security execs to measure how they stack up to others in their industries. Both efforts, by Lumeta and The Network, have just begun, and the proponents acknowledge that while they like the data they are producing so far, their projects will grow in value over time, as they analyze new data they collect.

Lumeta's Network Index

Lumeta, a six-year-old spinoff from Bell Labs' research work on an Internet Mapping Project, this week introduced a "network index" designed to identify where the risky hot spots are on a large organization's far-flung networks. The idea is to give senior management an overview of two things: identifying the outlying boundaries of the organization's network, and highlighting areas that need risk mitigation. The index uses four network categories -- topology, access space, leaks and device fingerprints -- and classfies each one for minimal, low, moderate, elevated or high risk. Then it gives a total network risk index score.

An underlying theme for the need for such an index, says Lumeta CTO David Arbeitel, is that corporate and government networks are infinitely dynamic, it's tough to keep tabs on everything even with good policies in place. "The key root causes of misaligned network defenses are not technology," Arbeitel says. "There are so many people, so many employees, contractors, outsourcers, it's inevitable that with all that connectivity and devices, [network security] becomes unruly."

The Network's Hotline Benchmark

Security and risk management executives also have clamored for quantitative data that provides evidence of value for confidential hotlines. The Network, a provider of confidential hotlines (think whistleblowers) to both government agencies and the private sector, has launched a benchmark study with research support from the CSO Executive Council, a professional organization for security executives affiliated with CSO, and the Association of Certified Fraud Examiners.

The benchmarking report essentially found that calls to hotlines are not a waste: 65 percent of calls required some kind of follow-up investigation, and 71 percent of the calls reflected information that management didn't know before someone dropped a dime. You can read an article with more of the findings here.

In an interview, Tony Malone, CEO of The Network, notes that while security and risk management executives were interested in such trend data in the past, the advent of corporate compliance regulations such as Sarbanes-Oxley makes them urgent now.

When The Network started selling the hotline services in 1983, Malone says, "People tended to be private" about the use of such services.

The subjects of hotline calls are still sensitive today,b ut Malone adds, so is the need to comply with Sarbanes-Oxley and its provisions that require corporations to demonstrate they have controls in place to guard against improper conduct. "That emphasis has caused people to be desirous of looking beyond their own environments," he adds, to compare their experiences using the hotlines with others.

"This report sets the stage to identify emerging best practices for hotlines and other reporting mechanisms, and gives people the ability to assess their program against a benchmark," Malone adds.

-- Michael Goldberg