Performance Measurement

7 09 2011

Information security professionals are fighting a losing battle, and we are often our own worst enemies.  This battle is not the mundane combat against technical threats of the day. Nor is it against the users that we are trying to support.  The battle that we consistently lose is the ability to communicate success.

As security professionals, we have many responsibilities.  Among these are the need to repel the wily hacker, and ensure that authorized users can access data where and when they need it.   We must ensure compliance needs are met, stop the ever-persistent malware, educate users, and plan for disasters. All the while, we must ensure that business functions succeed on the corporate network, on IPads, smart phones, and across the globe.  Yet, as capable people with advanced tools and techniques meet these responsibilities on a daily basis, successes remain largely unrecognized.

There are a number of possible explanations of why information security professionals fail to communicate success. One is the illusion that security lies within the absence of negative events: The false comfort provided either by luck or ignorance and not due to planning and diligence could be confused for excellence in security management.  Another is due to an absence of relevant measures.  We often measure what is easy to tally, such as the number of viruses blocked, or the number of help desk calls handled in a day.  Where many information security managers fail is connecting those numbers to the operational needs of the organization.  The result of this failure is not trivial: it contributes to an unfortunate, long-standing perception of Information security being an inhibitor of productivity[1][2], rather than an essential contributor to organizational success.  Gently phrased as being “the cost of doing business,” organizations have accepted the need for information security activities without effective measure of the return they receive on the investment that they make.

In NIST’s Special Publication 800-55 “Performance Measurement Guide for Information Security,” the authors wrote, “An information security measurement program will enable organizations to quantify improvements in security information systems and demonstrate quantifiable progress in accomplishing agency strategic goals and objectives.[3]”  In order to quantify and effectively communicate success, information security professionals need to improve alignment with their organization’s strategic goals, and develop meaningful measures that demonstrate not only that the myriad controls are installed and functioning, but also the enterprise is deriving value from their investment. While some[4][5] are working on this challenge, implementation of relevant measures is far from ubiquitous.  That is a battle that we need to win.