As an illustration, a large US retailer defines its CISO’s mission as:
- Insure our site is available to our customers when they want to shop
- Insure that our customers feel safe and secure as they shop with us
- Insure that our customers' information is safe with us at all times
- Insure that we satisfy the necessary legal, regulatory or internal requirements so that we remain a viable business.
The unrealistic goal
Many executive teams set their CISO up for failure – setting the ‘mission’ as zero breaches. In the real world, things will happen, vulnerabilities will be exploited, and the organization may suffer a breach in spite of their best efforts. With ‘zero breaches’ as the target, your CISO will either fail or resign first.
Instead, ask for metrics and indicators that demonstrate success measured against achievable goals and continual incremental improvement. Good examples are:
- Percentage of breaches that have resulted in loss
- Mean time to detect and remediate breaches
- Reduction in the risk of injury incidents detected
- How often is the infrastructure offline: for how long, what caused the outage, what could be changed to reduce outages
- Are processes being adhered to
- Are security practices being circumvented: which ones, by whom, what alternatives could be introduced, what actions were taken to deter future infractions.
Sxactly which metrics will be useful to any organisation is personal as it’s determined by the business’ goals. However, the principles remain the same:
Set the priority framework: From the outset, everyone within the business should understand what needs to be done to meet the organisation’s objectives. The metrics collected are to verify how well this is being met – or not! This ultimately helps focus efforts on what few things can be done today, to make the most progress towards the end goal. There will always be too much to do – priorities enable staff to make good decisions that align with the priorities of the business.
Perfection takes time: While the end goal may be perfection, a few mini targets of continuous improvement along the road will help build confidence.
Wheat or chaff: Rather than getting into granular detail, IT should be able to quickly and easily abstract the salient stats based on the mission. Solutions exist that automate the process to collect metrics which are then measured against rules. Results are then flagged - with red, yellow or green indicators, so performance can be determined at a glance showing where the organisation is on track and highlighting what requires immediate attention.
Use them or lose them: If IT are regularly producing a report that is not being used, or deemed to offer little value, then why let them continue? Either the statistics need to be presented in another useful format or not collected at all.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.