I really wish I'd found whom to credit for this awesome, if tragic, photo....
Security Programs can fail in subtle or spectacular ways, and because of many different reasons. I don’t mean one particular breach or incident though, but one of the most difficult reasons to detect amid the daily pressures: losing direction. It is tough to detect because it doesn't happen with an observable speed. Effects of loss of direction develop over months and even years and only become apparent in hindsight. The results can be devastating -- for the company, and for the individual, in our case the security guy. So, what can we do about that?
According to businessdictionary.com, controlling is the basic management function of (1) establishing benchmarks or standards, (2) comparing actual performance against them, and (3) taking corrective action, if required. This concept has its roots in the financial world and, similarly to quality control, originating in manufacturing, has found its way to other professions. This is not accidental, and this approach provides a quite pragmatic -- though admittedly high level -- view on security program health, overall.
Another thing: this is the language of business.
The following eight questions closely mimic the approach of the original concept of financial controlling -- but adapted to Security. Try them on for size and test your current ways.
1. Have you identified exactly which implemented security measure is achieving its intended purpose, actually protects (or even generates?) value, and which ones are just eating up resources and wasting money?
2. Are you aware of the actual impact of security activity on the day-to-day operations, strategic goals and financial results of your company? Also, what system level (i.e. organization-wide, or broader) interactions are at play, supporting or counteracting your efforts?
3. Do you know to what degree risk is reduced as the result of security activity? Do you recognize the point beyond which further tightening security would adversely affect the efficiency of the business processes you intend to protect, to a significant or unacceptable level (i.e. "too much" security)? Balance of functionality vs. security is key.
4. Are you successful in identifying real security risks in your risk assessment and planning work, that are meaningful to your organization, and are you allocating resources properly?
5. Do you become aware in a timely manner in case of an incident or breach, and of developing tendencies, trends that are changing your organization's risk profile?
6. Are issues requiring management decision prepared and put forward, decided and acted upon in a timely manner (i.e. while they are still relevant or before it is too late)?
7. Is a relevant information security strategy being maintined? (Relevant, as in aligned with the IT strategy and the organization's broader goals, and that it is understood and endorsed by the organization's top management!) – Are you successful in transforming your strategic goals into operational objectives and actions?
8. Do you recognize when one or more of your security expenditures protect or bring less and less value over time (has a decreasing utility)?
Raising these questions is just the beginning. Reflecting on them regularly in the form of defining, maintaining, reviewing and acting upon relevant strategic security metrics and other performance and risk indicators is essential in keeping our security and IT risk programs on track.
Which areas do you find challenging and why?
The source of inspiration for this article was this book on financial controlling.