Sunday, January 3, 2010

A Successful Security Program: Metrics and Support are the key ingredients

Brendan Healy, EMTB, CISSP


Metrics can help drive support for Security Programs


Physicians don’t just rely on qualitative measures to determine the proper treatment for a patient. They need solid quantifiable measurements to provide a baseline and determine change in a patient’s status. The same is true of a security program. A senior manager would be more willing to support decisions from security if they could clearly identify the changes and baselines within measurable results. If you can’t measure it then there is an increasing challenge in managing it (Zalud 2009).

Not all metrics are created equal. Finding actionable and meaningful metrics can drive home results with management. Identifying a potential measurement or key performance indicators is an approach that marks progress towards that goal (Zalud 2009).

Once the measurements are defined, collection of the data points can start to occur. Use of survey’s, variance reports and other indicators are all methods of collecting the excellent data points. After the points are collected, baselines can be established and further correlation can occur.




Proper placement within the organization is required for operational effectiveness


Security programs should have a clear and effective reporting structure within an organization. Proper reporting structures are essential for independence and autonomy of any security management.


Security programs are only as effective as the support in which they receive from the senior management. Executive support and management’s buy-in is essential to an effective program. Proper placement within an organization and transparency of actionable metrics helps foster relationships with senior management. In turn, senior management is empowered to make effective decisions based upon good data.

Often physical security programs were placed within human resource, corporate real estate, or other functional areas. Are these the proper places for a program which identifies risks to the organization and takes proactive steps to help mitigate or reduce that risk? Information Security programs have also had a similar lifecycle. Info Sec roots are generally within technology and often report within the Chief Technology or Information Officer’s organizations.

Both physical and information security programs have one major goal, identify and mitigate risk. Security programs should have a reporting structure that has independence to either a board of directors or audit function to ensure proper transparency (McCrie 2007) A “dotted line” or shared responsibility to a third-party outside the main management reporting structure allows for proper segregation of duties, typically required by financial controls. Further, having a solid line to a Chief Operating Officer or Chief Executive Officer can empower management to make good decisions based upon risks which are identified by security teams.

As organization reporting structures evolve, both information and physical programs can increase their abilities to provide transparency. Having proper placement to senior management and providing the management with measurable and actionable metrics to allow those managers to make good decisions is the basis of an effective security program.

References:


Zalud, Bill “New Math: Security Means Business Performance” Security Magazine 1 Aug. 2009: Online