Last month we asked the question, “What is security’s role in the enterprise?” It turns out the answer isn’t that simple. I’d like to follow that up with what seems to be an easy question.
How would you evaluate security’s role? How do you measure what you do if your role is managing security risks? Most security metrics presented provide some insight into how effective and efficient security programs are being executed. Of course, those measurements are necessary. It’s essential to measure and communicate how your programs are working. We have budgets and bosses that demand to know our efforts and budgets are being put to good use. Do those measurements of effectiveness and efficiency properly evaluate security’s role in managing security risks though?
The programs themselves may have a direct impact on the overall risk profile for a company. In fact, a combination of an effective and efficient program should have an impact on the risk profile. A combination of many well-executed programs should surely have a bigger impact on the enterprise’s security risk profile. However, do those current measurements of how effective and efficient programs are really measure the impact they have on the risk profile? It’s not to say the metrics are wrong. I’m not sure it adequately answers the question of how to evaluate security’s role.
So, how do you evaluate security’s role in your enterprise? It is possible to measure the impact that the programs are having to the risk profile. It can be measured through risk reduction modeling to show risks have been reduced and to communicate residual risk that would remain within the enterprise after programs were put in place. Of course, risks contain many variables, some out of our control, nonetheless it’s still a reportable value that is appreciated by the business.
There are many different risk measurement models available, including ISO 31000, COBIT 5 and COSO. As complicated as it may seem, it has been done before. What’s the value in going down this path? As we discussed in prior columns, the security industry is changing. Security risks now have the potential to significantly impact business resiliency, hence the expectations from executives on how security is managed is also changing.
Risk-based measurement is necessary to communicate a strategic program with executives. Task-based measurements (effectiveness and efficiency) are necessary, but still task-based. Risk-based measurement is strategic. It is becoming the expectation of executives. The risk measurements can be applied program to program, no matter how complex or mature. It’s not necessary that security risk reporting happen at the executive level. It will force you to think about your efforts a bit differently. It’ll add some depth and purpose. It’s worth a shot exploring. Worst case scenario, it’ll be a good learning experience.