Measuring the Success of Your IT Security Program
By Rob Kraus, Solutionary
How well is your security program operating?
Are the security controls you funded effective?
Have you applied some methodology to determine if you are achieving a return on investment (ROI) for your security initiatives?
Often the biggest battle faced when defining the security vision of an organization is budget; a six-letter word that keeps our hands tied and can impact effectiveness and robustness of an organization’s ability to thwart attacks.
However, in some cases you may obtain the appropriate budget and be able to implement your security vision. With this in mind, how does your organization realize the value of that investment?
Security controls are often intangible and hard to prove ROI. Organizations must define the terms in which they deem a security initiative and deployment to be a success. This can apply to a single component within the security vision, or the vision in its entirety.
Examples of questions and parameters to determine success can include:
§ What is the security control preventing?
§ What will determine a successful deployment?
§ How much risk and potential loss does the control mitigate?
§ What is the timeline for a positive return on investment?
§ Can the control provide value to other parts of the organization?
§ How do we recognize the effectiveness and celebrate its value?
§ Who needs visibility to the effectiveness of the control?
§ How often should we validate the continued effectiveness of the control?
There are certainly many more questions you can ask to determine the effectiveness of a control or security initiative; many of which may apply only to your specific environment. If you have trouble defining the impact of a security control beyond the fact that it makes you more secure, remember that the entire purpose of a security program is to help you meet your business objectives in a safe and secure manner. If all else fails, ask yourself, “How does this security control help me get my job done?”
Some benefits of being able to determine the effectiveness of the controls your organization implements are:
§ Proving the effectiveness of previous efforts can help build confidence of decision makers who need to endorse additional security budget, potentially increasing the chances of getting additional budget support.
§ Realizing what is effective, and what is not, can help identify blind spots and opportunities for future improvements.
§ Identifying effective controls helps your organization to focus its valuable resources on troubled areas as opposed to those that are already being addressed by effective controls.
§ Implementing successful controls helps build confidence in your security team’s mission and validates achievements and security milestones.
§ Enabling organizational leadership to directly realize the value of implementing security.
You will not be able to determine the effectiveness of security controls unless you set out to do so. Having the capability to genuinely evaluate the effectiveness of a control is often overlooked, and can be dangerous when it contributes to the misjudgment of how well protected your organization truly is.
Resources are precious, so make the best use of them.