5 ways to measure the success of a security and risk management strategy
Driving Continual Business Value
Security is a front-and-center concern for businesses today. Cyber threats are getting more sophisticated and even more unpredictable. More importantly, the risks associated with getting security and risk management wrong include everything from financial loss, reputation damage, customer loss, lawsuits and even human life. As it turns out, it is a lack of IT coordination between people, process, and technology that actually creates the blind spots attackers exploit. Piling on more software, more processes, and more stopgap measures is simply not a sustainable option.
Security is a Cold War Game
What is needed to succeed in te never-ending security and risk war is an end-to-end framework that reconciles what are most often disparate functions and silos of security within IT. Only by taking using a framework can you achieve a sustainable approach to protecting your company.
More than ever enterprises need to explicitly manage the security, risk and compliance of their entire IT infrastructure by addressing all aspects of enterprise security–people, processes and technology. Key to making this happen is making sure IT assets and resources remain safely under control of CIOs and CISOs.
5 concrete measures for security and risk management
Like other topics that we have been discussing over the last few weeks in this series—converged infrastructure, hybrid delivery, application transformation and information management--concrete measures are needed to prove out the value and quality of the end-to-end security and risk management journey. These measures include the following drawn from IT service management. This is because service management is the living record of success and failure in IT management but more important is the convergence point for people, process, and technology.
1) Number of incidents due to physical security breaches or failures. Ialso like the percent of total incidents that are due to physical security breach or failure because it is an amount that can be viewed month over month and should always be very small.
2) The percentage of emergency changes is another important measure derived from the service management system. This is because in cases where this percentage is high, it can be observed that changes are likely happening without a strong change advisory board. In this case, changes are in reality being documented after the fact. While capturing a compliance record is important, running t IT this way means standards are not being applied and IT infrastructure and business applications are experiencing a higher risk of security lapse than they should be.
3) The percentage of unauthorized implement changes is critical to monitor because where this is above zero, there is no real control over the IT environment. As the number of unauthorized changes increases, the potential for a major security issue also increases significantly.
4) Percentage of users who do not comply with password standards. The number and type of suspected and actual access violations needs to be driven to a very small number. In fact, a serious IT organization should drive this as close as possible to zero.
5) Mean time to recover from non-compliance. One way to establish better control over the IT environment is to ensure that IT infrastructure conforms to policy standards and is buttoned down. And when it is out of conformance, it is quickly recovered. This KPI goes after this issue directly.
COBIT 4 identifies many more measures for security, compliance, and business risks, but the five discussed here represent a great place to start.
Related links:
Feature: Peak performance demands precision control
Solution Brief: IT Security
Solution page: IT performance management
Twitter: @MylesSuer
