Cloud-native security metrics for CISOs

Author and chief risk officer Rich Seiersen talks about the challenges of securing cloud-native applications and how to use metrics to improve their effectiveness.

Organizations are under pressure to use cloud services and modernize their software development practices, but these raise new challenges for security leaders. Enterprise Strategy Group research on cloud-native applications showed that, while cloud-native apps bring the benefits of increased efficiency and speed of deployment, security and compliance top the list of challenges.

Security leaders must effectively manage security risk as development scales. But how can they measure the effectiveness of their programs and successfully support digital transformation? I interviewed experienced CISO Rich Seiersen, chief risk officer at cyber insurance company Resilience and author of How to Measure Anything in Cybersecurity and The Metrics Manifesto, about the challenges of cloud-native security and how to use metrics to build and improve security programs. Below are highlights from our discussion. Be sure to watch the video below for more.

The challenges of scale

As CISO of Twilio during 2016-17, Seiersen thought the security industry wasn't ready for the volume of releases enabled by cloud-native development with continuous integration and continuous delivery pipelines. Twilio was at the leading edge at the time, with 30,000 releases per year. Security testing products used traditionally for software applications, including static application security testing (SAST) and dynamic application security testing (DAST), were too disruptive to use with cloud-native development, he said.

"It would have slowed things down," Seiersen said. "SAST, DAST, the amount of false positives -- that's all drag. But how do you maintain value, throughput and [release] features while reducing the likelihood of an exploit that could lead to any sort of breach?"

Rethinking the role of security

I've written about and released research on shift-left security, where we move some security responsibilities to developers so security is no longer a bottleneck that holds up the rapid pace of development. Seiersen has a great analogy for this: Security needs to function as the pit crew enabling racecar drivers -- the developers -- to speed through the security checkpoint quickly.

"There are necessary things that need to happen to make sure the machine can go fast. The mindset of security should be similar to the pit crew: 'We're going to do it in such a way that contributes to winning,'" Seiersen said. "I think a lot of security folks actually don't take the perspective of a pit crew; they take the view of the cop. I think it's really important in cloud-native development that there's this whole ethos and mindset shift that needs to happen," he added.

I agree and, as an analyst, I get excited about products and tools that can help security teams be successful in enabling digital transformation instead of blocking it. This ties into security metrics because CISOs are responsible for managing risk and being able to prove their results.

Cloud-native security metrics that matter

Seiersen has written in-depth about security metrics, but in this interview he shared the following five top objects of measurements, which he calls BOOM -- baseline, objectives and optimization measures. These are as follows:

  1. Burndown rates: the rate at which you are burning down known bugs.
  2. Time to live: dwell time of known bugs.
  3. Arrival rate: the rate at which risk materializes.
  4. Interarrival rate: the average time between instances.
  5. Escape rate: the rate at which known bugs go into development.

Watch the interview to hear Seiersen break down each measurement and describe how to work them into development cycles.

Next Steps

Key cybersecurity metrics and KPIs for businesses to track

Dig Deeper on Cloud security

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing