Digital Transformation
Showing results for 
Search instead for 
Did you mean: 

What to measure in order to secure the enterprise


messe.jpgOccasionally, I get to hear other sessions at HP Discover just like HP’s customers. So on Monday , I went to a session titled “Security operations: Maturity, effectiveness, and ROI” by HP’s ArcSight team. Now I have gotten to touch security before in my career. A while back I had been brought into a company called iSpheres by the CEO and board to look at getting them into a new business. One of the areas we looked at for the company’s technology was security because the president of iSpheres came out of security and saw the need for a higher level security product. As we evaluated the opportunity, everyone said not to go there because there was startup that had already figured this out. The company’s name was ArcSight.


In this presentation, I was looking for higher processes and KPIs our Executive Scorecard should be measuring. Was there something that we were possibly missing when it came to security? After a few minutes, I felt very comfortable with what we already do. Clearly, there were unique things that the ArcSight SIEM solution does, but from a tooling perspective, the security stack reminded me of what we do in our operations stack at HP.  And just like what we do in operations, when something goes wrong or requires something to be done, an incident is created within the service management tool. I knew from my experience at iSpheres that security starts with log management.


But what was new for me was that security was now adopting the CMMI maturity model in order to drive what the speaker called “Security-Ops best practices.” So security is drawing on standards like COBIT 5, where  the key to successful security processes is making them documented and then repeatable. This means that security today is all about people, process, and technology. For those of us from the ITIL world, this should sound very familiar. In fact, ArcSight has put together a 150-question maturity assessment tool that looks at maturity along with people, process, and technology.


At the same time, it was suggested that security needs to be top down or you inundate management with events and force a reactive versus proactive security. Just like Operations, there are too many events if you do not correlate them and then relate them to the needs of senior leaders. But probably the most important thing I learned was that proactive security requires automation.


This is how Executive Scorecard can be used in conjuction with security solutions like ArcSight. Executive Scorecard already pulls from the automation and operations stack. You can answer with it many business and IT questions. Do I have policies? Can I lock down the server, storage, and network configuration? Is my data sent in encrypted form? How long does it take to bring things back into compliance? CISOs clearly need the blocking and tackling of looking at logs, perimeter and network defenses, compliance, threat assessment, and critical transaction monitoring, but they also need to know whether the operational controls are in place for proactive security. They also need the incident harvesting to know where they have success and where they have failure. This is where a security strategy that uses performance management tools like Executive Scorecard can help organizations measure, manage, and improve.


Solution page:  IT Performance Management

Twitter: @MylesSuer

0 Kudos
About the Author


Mr. Suer is a senior manager for IT Performance Management. Prior to this role, Mr. Suer headed IT Performance Management Analytics Product Management including IT Financial Management and Executive Scorecard.

hyperbola equation

At the same time, it offers the security needs to be above or below you and scrub with a reactive versus proactive security event management was emphasized. Only a people, many of them after the event if you do not need senior leaders to have their say. But perhaps the most important thing I learned was the need for proactive security automation.

Jan 30-31, 2018
Expert Days - 2018
Visit this forum and get the schedules for online HPE Expert Days where you can talk to HPE product experts, R&D and support team members and get answ...
Read more
See posts for dates
HPE Webinars - 2018
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all