Performance Measurement

7 09 2011

Information security professionals are fighting a losing battle, and we are often our own worst enemies.  This battle is not the mundane combat against technical threats of the day. Nor is it against the users that we are trying to support.  The battle that we consistently lose is the ability to communicate success.

As security professionals, we have many responsibilities.  Among these are the need to repel the wily hacker, and ensure that authorized users can access data where and when they need it.   We must ensure compliance needs are met, stop the ever-persistent malware, educate users, and plan for disasters. All the while, we must ensure that business functions succeed on the corporate network, on IPads, smart phones, and across the globe.  Yet, as capable people with advanced tools and techniques meet these responsibilities on a daily basis, successes remain largely unrecognized.

There are a number of possible explanations of why information security professionals fail to communicate success. One is the illusion that security lies within the absence of negative events: The false comfort provided either by luck or ignorance and not due to planning and diligence could be confused for excellence in security management.  Another is due to an absence of relevant measures.  We often measure what is easy to tally, such as the number of viruses blocked, or the number of help desk calls handled in a day.  Where many information security managers fail is connecting those numbers to the operational needs of the organization.  The result of this failure is not trivial: it contributes to an unfortunate, long-standing perception of Information security being an inhibitor of productivity[1][2], rather than an essential contributor to organizational success.  Gently phrased as being “the cost of doing business,” organizations have accepted the need for information security activities without effective measure of the return they receive on the investment that they make.

In NIST’s Special Publication 800-55 “Performance Measurement Guide for Information Security,” the authors wrote, “An information security measurement program will enable organizations to quantify improvements in security information systems and demonstrate quantifiable progress in accomplishing agency strategic goals and objectives.[3]”  In order to quantify and effectively communicate success, information security professionals need to improve alignment with their organization’s strategic goals, and develop meaningful measures that demonstrate not only that the myriad controls are installed and functioning, but also the enterprise is deriving value from their investment. While some[4][5] are working on this challenge, implementation of relevant measures is far from ubiquitous.  That is a battle that we need to win.




One response

8 09 2011

I wholeheartedly agree with you here. This argument could go as far as merely justifying to the CFO and CEO why they need to keep spending (or spend more) money on security investments, but that’s somewhat short sighted. You make a compelling argument – if I’ve understood you correctly – that it extends to the point of being able to show legitimate successes so that leaders realize it’s about more than just being a producer or cost center.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: