Ian Harragan
Director at i-confidential
I wrote recently about the value of a security roadmap. As you progress on your journey, senior leaders, including the C-suite, need to be kept apprised of the latest position and what that means in terms of risk exposure.
The senior team will always want to know if the organisation is doing enough to ensure it ‘stays safe’. In turn, they will look for comfort that planned activities are delivering the desired outcomes.
A question to reflect on then is whether existing reporting structures focus on what key stakeholders want and need to see, rather than just regurgitating completed task lists and milestone box ticking.
Regular briefings can be effectively supported by using a set of insightful measures and metrics. Over time, appropriate measures with suitable RAG thresholds become the most reliable way of keeping everyone aligned on the effectiveness of the security control position and the associated weaknesses.
The right measures provide a consistent view of the control environment, and the associated thresholds should align to your desired levels of risk appetite with the appropriate tolerances applied. They may also vary depending on the importance of the underlying asset.
A mistake that is all too common in business is to measure the wrong thing. This in turn leads to poor decisions and undermines performance. A ‘classic’ example comes from the ancient Roman physician Galen:
"All who drink of this remedy recover in a short time, except those whom it does not help, who all die. Therefore, it is obvious that it fails only in incurable cases."
Galen’s remedy might have been perfect, but using his logic it’s also impossible to prove it isn’t. He has discounted any evidence to the contrary.
More recently, there are business lessons that can be learned from the 2003 Michael Lewis book, ‘Moneyball’. This describes how the Oakland Athletics baseball club in the U.S. used carefully chosen statistics to build a winning team.
The club moved away from the traditional, opinion-based approach that relied on intuition and limited data. This often failed to identify players who were very effective in specific areas of the game but didn’t ‘look the part’ overall. Adopting a data-centric model enabled them to far more successfully predict performance.
Your security roadmap will have already set out your objectives. The measures you put in place need to reliably support these. They should also help to illustrate the activities that employees can undertake to achieve the desired aims.
A final thought here – nothing stays the same. Therefore, over time, you need to re-evaluate your measures to ensure they still support your goals.