What a FitBit Can Teach Us About Security Metrics

I started running and biking a lot in 2003.  I do it to have fun, but also to stay healthy.  Back then I worked with some other cyclists, one of whom was an Excel guru that loved collecting workout data.  I started tracking my workouts, too, on his amazing spreadsheet with 11 tabs, pivot charts, and macros.  Every day I was logging my miles, activities, and other workout information.  I even tracked stuff like the weather conditions, what running shoes I wore, and personal bests on a specific route.  This data will make me a better runner, I thought, and healthier.

But invariably, I’d miss a day of data entry.  Whether I was on vacation and away from my computer, or busy, or lazy, a missed day would turn into two, then five.  I’d forget what I did for workouts and not enter data.  Over time the data had such holes that it became unreliable and, eventually, meaningless.  The manual data collection and entry was painful, and I began to actually dislike working out because I didn’t like entering the data.

In 2011 I bought a FitBit Force (I have a Charge HR now) and my views on workout data tracking changed significantly.  No more spreadsheets and keeping track of workout data manually.  Everything I do while wearing my FitBit on my wrist is collected automatically and synced to the web and my phone.  FitBit tracks my steps, miles, calories, active minutes, and stairs climbed.  Those might not be all of the metrics one might need to track their fitness if they were an elite athlete, but they are really good indicators of my activity level for the day, which can help me see a picture of my overall fitness.  And the important thing is, it’s effortless to track.  No remembering, spreadsheets, or guessing.  Automated data collection lets me concentrate on other things like enjoying the ride, and watching my progress over time.

Why the FitBit Technology Makes Sense in Regard to Information Security

The information security metrics we collect first in an organization have to be automated to be effective.  The key performance indicators of a security organization flow from the audit logs and events of the critical security functions and can’t rely on manual efforts.  The tracking of privileged account usage, vulnerabilities, and malware alerts need to flow automatically without “pulling” information from people.  Like my first efforts with the spreadsheet, manual security metric collection of critical baseline data will fail due to our human propensity for error.

Once we reach a level of maturity in which we are automatically collecting our key metrics reliably, we can begin to bring in other data, correlating information that augments our visibility into our security posture and adds new value.  I currently sync cycling data from an app on my phone to FitBit to add more detailed context to my bike workouts.  I also bring in mapping data from my runs from an app that can show road elevation profiles against my heart rate.  Those are also automated and they help me get more meaning from my base FitBit data.  In the realm of information security, we can pull data from our configuration compliance scans to supplement our asset inventory.  Or we can associate vulnerabilities scan results with attack info in our incident response tool, and start to see the why of the attacks.  We’re using data from multiple automated sources to add to the complete sight picture of what’s happening in our environment.

Only the final level of metrics collection might find us bringing in data manually.  When we have the resources to collect other sources of data that cannot be automated, and if that data is actionable, it might be worth collecting and adding to our catalog of metrics.  Right now I use the MyFitnessPal app to manually track what I eat and it gives me information on my macronutrients and calorie intake. I also manually input my weight and how much water I drink.  The key here is that I have time for that data collection, and I find it to be meaningful and actionable.  When I stop finding it meaningful, I’ll stop entering it.

Perhaps your security organization is at this level of metrics maturity, polling the security team for performance data on projects and other efforts whose collection can’t be automated.  If that data adds to the visibility a CISO needs to evaluate the maturity and performance of the security organization, and you have the people and time to collect it, that’s outstanding.

How the FitBit Analogy Relates to Your Organization

If you have to start somewhere on your security metrics journey, start with what’s already being generated effortlessly.  Digest it, learn from it, and use it to drive improvement.  Acknowledge that you can’t rely on manual collection at the outset, and work towards bringing in other data to correlate later.  It’s an interesting and exciting process that will result in security programs that are healthy and strong.

Now if you will excuse me, I need to go run.  I still have 3500 steps to do today.