As G.I. Joe taught us back many moons ago, Knowing is half the battle.

To test this theory, I’ve been testing potential KPI’s by mentioning the issues or concerns that the potential KPI’s represent with relevant parties in various conversations. Hands-down, the one that has gotten the most interest is how little we actually know about our risk landscape.

From this exercise, it has become obvious to me that my first Security Metrics KPI must be related to Coverage and Control:

percentage of internal hosts which are centrally managed and protected.

No matter what else I might try to tell people about our risk profile, I look like either chicken little or a buffoon if I don’t know how much of the total enterprise I’m actually speaking knowledgeably about.

And while this is really more of a table which rolls up to the KPI, and also while we can debate what exactly is required to be “centrally managed and controlled,” we cannot manage what we cannot control, and as such anything which is outside the framework (even if it meets compliance without our help) doesn’t matter in this case.

To know the percentage, I need to know the total number of active nodes on the internal network. From there, I can begin to provide detail around what type or level of control I have over those hosts. Things like:
- Number of windows hosts that are members of Active Directory
- Number of windows hosts with centrally-managed anti-virus
- Number of Linux/Unix hosts which are managed by IT
- Number of hosts which are patched by IT (and in keeping with our patching SLA’s–but that’s another metric for another day)

We have a fair amount of AS400 out there, too, but from a host count perspective, it’s small and it’s all centrally-managed. How well-managed is another deal entirely. There just isn’t anyone who says, “We can just order an iSeries and turn it in on the corporate card as a team dinner.”

But once I have this, I can provide not only my KPI, but also a measurable definition of what comprises it and from that, provide the operational roadmap of what must be done in order to achieve the necessary level of control for our network, given the stated risk tolerance for host security.

I would like to be able to do something similar for “applications,” but that creates a couple of problems which we can’t actually solve right now. First, IT can’t provide me with the inventory data that I would need to provide an accurate assessment. Second, finding “applications” is much more difficult than finding hosts on the network and determining simple characteristics like operating system and domain membership

Chandler,

I really hope you can get to the actual count of devices. I am not sure it is possible. Can you use a MAC address list or something from the network side. I would love to be able to count devices at work just to know.

Is KPI key performance indicator? I should probably know this, but …