"Three simple words exist that can work magic for any business type — measure, manage, and optimize.
For thousands of years, we humans have devised ways to measure things. Almost instinctively, we know that measuring something is important, in many cases a key requirement for success. In business and in government, we have developed measurements and indicators to (hopefully) tell us where we are, or how we're doing, or to simply make sure that things fit correctly.
In business, measurement is probably the best known of the three components mentioned earlier. Assuming we're measuring the right things, we have to be able to do something meaningful with the results; that is where the management part comes in. Several years ago, Peter Drucker presented the idea that in order to successfully manage something, you must be able to measure it. So, in our efforts to improve our business, our measurement becomes a part of the process of management.
I have seen the discipline of information security mature from an obscure, rarely discussed area to one that impacts almost everyone on a daily basis. Our modern economy and market have created a high value for our information and our information-processing capability. The higher value creates more of an impact if something bad, intentional or unintentional, happens to our information. One problem this young discipline faced, and still faces to some extent, is the difficulty in identifying what items to measure. What do you measure when the objective is to keep things from happening? It's not possible (or so difficult as to be nearly impossible) to keep an accurate count of the bad things that didn't happen — the attackers who weren't able to break in to steal financial information, the viruses that didn't infect our corporate or home computer systems. And efforts to track bad events that happen, to try and show that our efforts have had an effect, may be misleading. A downward trend in incidents might show that our controls are working. Of course, they might also reflect simply that there were fewer attacks on our systems, something that can be largely out of our control.
As the information security discipline has matured, though, so have the best practices and other generally accepted processes and standards. Also, various industries are guided by regulatory requirements. While there is a legitimate debate to whether regulatory mandates are the best approach for a business, the fact is that these requirements have given us a framework for measurement. Tools have been developed that enable us to measure specific configurations and settings that impact our security, or to identify and correct vulnerabilities in our systems or programs. We have, finally, some benchmarks.
Many times, people talking about (or trying to sell) information security will ask you, "What keeps you awake at night?" in an effort to then try and address the concerns you have about your information security posture. I encourage you to think about your own personal answers to two questions instead. The first is "What can you do (or not do) related to information in your business that could get you fired?" The second question is "What can you do (or not do) related to information that could get you promoted?"
Why the two questions instead of one? Obviously, no one wants to be fired, and in general, people like to be promoted. I frame the problem of information protection like this because the right answer can keep the first from happening while possibly enabling the second. And because there is one thing that can be done, one process that can be implemented, to address both questions. What is the magic answer? It's a variation on the tried-and-true approach to management — being able to measure.
Today's company needs information security controls that can be appropriately measured. Knowing the right measurements, the right metrics, enables us to see where we are in relation to where we have identified that we need to be. We can use the standards, best practices and regulatory requirements to guide us in this effort. We can't blindly follow them, but if we look at our own businesses, our own valued information, we can begin to see which ones are important in reducing our risk to an acceptable level and which ones are less important. So we can identify meaningful metrics and begin to measure them.
But measurement is not enough. We must take the results of our measurements and use them in some process in order to maintain or improve our security posture. In other words, manage your security program just as you would any other key process or function in your organization. Use the metrics. Identify baselines, minimums, targets and goals. And then provide the right processes and resources to achieve those goals.
Measuring and managing allows us to ensure we eliminated the concerns of the first question we asked ourselves. Measuring and managing our security process then enables us to begin to improve on our current systems, to identify wasted steps, to maximize our efficiencies, to get more out of our systems or to do things in a new way. Using the feedback of measuring and managing, we can begin to optimize our environment. And doing this gives us the opportunity to find answers to that second question.
In fact, the "measure, manage, optimize" approach can be used for almost any process or program within your business. My company believes in it so strongly that we are adopting it not only for use within our security and technology consulting practices, but are beginning to use it extensively for our own internal processes and procedures. We consider it to be more than an approach — to truly be a philosophy to embrace and share with others. We encourage you to apply it within your own organization.
Andy Brinkhorst is director of the Security Solutions Group at Systems Design Group and has over 14 years of information security experience.
"