This post looks at a how security leaders should evaluate the quality of their efforts. Security—just like other areas of IT management—is fundamentally about people, process, and technology. COBIT 5 says the security process is about defining, operating, and monitoring a system for information security management. This involves protecting enterprise information and in particular, maintaining information security risk to an acceptable level—i.e. in accordance to an established security policy. At its core, the security process involves establishing and maintaining information security roles and access privileges, and performing security monitoring. The goal for this process is to minimize the business impact of operation information vulnerability and incidents. In other words, you need to keep the impact and occurrence of information security incidents within the enterprise’s risk appetite.
Goals for change and release management
To improve operations, COBIT 5 suggests IT security measure itself against eight process improvement goals. This is more than the number of goals recommended for most processes, but that’s because COBIT 5 recognizes the growing importance of security. Let’s explore each along with their recommended metrics to get a better idea of how to improve IT security.
1. You have a system in place that considers and effectively addresses enterprise information security requirements. Security has matured to the point where policies and procedures are critically important. You can no longer settle, as I did in the late 90s, with a former hacker in the back room scanning for vulnerabilities. Two metrics are recommended to measure success against this: number of key security roles clearly defined and number of security-related incidents. Clearly, security needs to be defined in a prominent role and be staffed appropriately, but it also needs to be measured. Incident volume and percentage are appropriate metrics just like they are for measuring other IT operational functions.
2. You have established a security plan and it has been accepted and communicated throughout the enterprise. As I said, security needs to be matured and managed. Three metrics are recommended: level of stakeholder satisfaction with the security plan throughout the enterprise; number of security solutions deviating from plan, and number of security solutions deviating from the enterprise architecture. Clearly, you want stakeholders to agree with the security plan and the risks that this plan accepts. But you, also, want to measure deviations from plan and enterprise architecture. There is a strong relationship between control over the IT environment and IT security risk.
3. You have implemented information security solutions and they are operating consistently throughout the enterprise. In operational processes, COBIT 5 argues for predictability. In security, this is built through through consistency. Three metrics are recommended to measure success against this: number of services with confirmed alignment to the security plan, number of security incidents caused by non-adherence to the security plan, and number of solutions with confirmed alignment to the security plan. Clearly, we want to measure conformance to the plan and the impacts for lack of conformance.
4. Your network and communications security meet business needs. The network and communications layer is the gateways and potentially the holes to the outside world. Two metrics are recommended: number of vulnerabilities discovered and number of firewall breaches. While operational in nature, these need to be measured actively and reduced to establish a fundamental level of control.
5. You’re protecting information that is processed on, stored on, and transmitted by endpoint devices. We know that mobility is driving up the number of endpoint devices and the need for managing over a larger and larger scope of devices. Three metrics are recommended to measure success against this: percent of individuals receiving awareness training relating to the use of endpoint devices, number of incidents involving endpoint devices, and number of unauthorized devices detected on the network. You clearly want users trained and endpoint related device incidents being reduced over time. At the same time, you need to reduce and prevent unknown endpoint devices tapping into your network.
6. You’ve made sure all users are uniquely identifiable and have access rights in accordance with their business role. Two metrics are recommended: Average time between change and update of accounts and number of accounts vs. number of authorized users/staff. Recent incidents in the news make it clear that the latency between someone leaving and being on the network needs to be made very very small.
7. You’ve implemented physical measures to protect information from unauthorized access, damage and interference when being processed, stored or transmitted. This is absolutely fundamental to the security process and three metrics are recommended here: percent of periodic tests of environmental security devices, average rating from physical security assessment, and number of physical security-related incidents. These are fundamental to demonstrating control over the physical security of the environment.
8. You’ve made sure electronic information is properly secured when stored or transmitted, or stored Increasingly, enterprise assets are digital. In one of my classes, I had a student tell me that all records are electronic at his company. Imagine, nothing is allowed to be on paper. One metric is recommended here: number of incidents relating to unauthorized access to information. Access and intrusions need to made smaller and smaller.
So where should you start?
As always, my suggestion is that you start where the most immediate value can be driven. But if it were up to just me, I would start with the establishment of a security plan—everything else derives from this. We need to make security incidents a rare event to take out the resulting business and IT risk. I think of this as really the first level of control. What do you think? What would be first on your list? I would love to hear back from you.
Blog post: Making COBIT 5 part of your IT strategy
Solution page: IT Performance Management