What a FitBit Can Teach Us About Security Metrics

By Eric Noonan • September 1, 2015

I started running and biking a lot in 2003.  I do it to have fun, but also to stay healthy.  Back then I worked with some other cyclists, one of whom was an Excel guru that loved collecting workout data.  I started tracking my workouts, too, on his amazing spreadsheet with 11 tabs, pivot charts, and macros.  Every day I was logging my miles, activities, and other workout information.  I even tracked stuff like the weather conditions, what running shoes I wore, and personal bests on a specific route.  This data will make me a better runner, I thought, and healthier.

But invariably, I’d miss a day of data entry.  Whether I was on vacation and away from my computer, or busy, or lazy, a missed day would turn into two, then five.  I’d forget what I did for workouts and not enter data.  Over time the data had such holes that it became unreliable and, eventually, meaningless.  The manual data collection and entry was painful, and I began to actually dislike working out because I didn’t like entering the data.

In 2011 I bought a FitBit Force (I have a Charge HR now) and my views on workout data tracking changed significantly.  No more spreadsheets and keeping track of workout data manually.  Everything I do while wearing my FitBit on my wrist is collected automatically and synced to the web and my phone.  FitBit tracks my steps, miles, calories, active minutes, and stairs climbed.  Those might not be all of the metrics one might need to track their fitness if they were an elite athlete, but they are really good indicators of my activity level for the day, which can help me see a picture of my overall fitness.  And the important thing is, it’s effortless to track.  No remembering, spreadsheets, or guessing.  Automated data collection lets me concentrate on other things like enjoying the ride, and watching my progress over time.

Why the FitBit Technology Makes Sense in Regard to Information Security

The information security metrics we collect first in an organization have to be automated to be effective.  The key performance indicators of a security organization flow from the audit logs and events of the critical security functions and can’t rely on manual efforts.  The tracking of privileged account usage, vulnerabilities, and malware alerts need to flow automatically without “pulling” information from people.  Like my first efforts with the spreadsheet, manual security metric collection of critical baseline data will fail due to our human propensity for error.

Once we reach a level of maturity in which we are automatically collecting our key metrics reliably, we can begin to bring in other data, correlating information that augments our visibility into our security posture and adds new value.  I currently sync cycling data from an app on my phone to FitBit to add more detailed context to my bike workouts.  I also bring in mapping data from my runs from an app that can show road elevation profiles against my heart rate.  Those are also automated and they help me get more meaning from my base FitBit data.  In the realm of information security, we can pull data from our configuration compliance scans to supplement our asset inventory.  Or we can associate vulnerabilities scan results with attack info in our incident response tool, and start to see the why of the attacks.  We’re using data from multiple automated sources to add to the complete sight picture of what’s happening in our environment.

Only the final level of metrics collection might find us bringing in data manually.  When we have the resources to collect other sources of data that cannot be automated, and if that data is actionable, it might be worth collecting and adding to our catalog of metrics.  Right now I use the MyFitnessPal app to manually track what I eat and it gives me information on my macronutrients and calorie intake. I also manually input my weight and how much water I drink.  The key here is that I have time for that data collection, and I find it to be meaningful and actionable.  When I stop finding it meaningful, I’ll stop entering it.

Perhaps your security organization is at this level of metrics maturity, polling the security team for performance data on projects and other efforts whose collection can’t be automated.  If that data adds to the visibility a CISO needs to evaluate the maturity and performance of the security organization, and you have the people and time to collect it, that’s outstanding.

How the FitBit Analogy Relates to Your Organization

If you have to start somewhere on your security metrics journey, start with what’s already being generated effortlessly.  Digest it, learn from it, and use it to drive improvement.  Acknowledge that you can’t rely on manual collection at the outset, and work towards bringing in other data to correlate later.  It’s an interesting and exciting process that will result in security programs that are healthy and strong.

Now if you will excuse me, I need to go run.  I still have 3500 steps to do today.

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC Con 2021 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.