Security and Technology Leaders need to measure success but too often the exercise focuses more on the absence of failure than the presence of success, with security being defined by what it isn’t—it isn’t being breached, it isn’t being fined or isn’t being compliant, it isn’t being “vulnerable” (with healthy debate as to what exactly that means). A laundry-list of things not-to-be is a poor substitute for a map and a compass.
Fortunately, when it comes to successful security strategy, it need not be framed negatively as the absence of failure—successful security strategy can be framed positively with indicators that you’re on the right path, so long as we’re willing to align your security vocabulary with your risk vocabulary.
After all, risk is a cross-organizational concept that drives business outcomes. Security itself is a domain of risk, and security investments are best described as impacting risk mitigation—reducing the probability and impact of expected losses. When vertical alignment around risk outcomes occurs explicitly in an organization between the tactical and operational security functions and the strategic leadership layer, we have clear line of sight between security investments, the return on those investments, and how far they move the needle on the security journey.
With the above in mind, here are some reasonable targets—understanding the fronts you’re fighting on, correctly defining what winning looks like, and measuring success in a way that translates into business outcomes.
First, organizational risk must acknowledge and explicitly plan for the fronts that this war is to be waged on. Among the different ways of dividing up what is inevitably interconnected space, one way to do so is to look at the internal, external, and technology fronts:
- The Internal Front are the things under our direct control, such as our people and our process that influence our risk. Success on this front aligns cultural risk incentives and risk outcomes.
- The External Front is where actors and activities outside of our control influence our risk. Success here ranges from planning for natural disasters on one hand, to motivated and persistent adversaries on the other.
- The Technology Front is the foundation of the modern business, and where the interplay between internal and external factors often plays out. Technology is never static, and so managing success on this front is about recognizing where you are, where you need to be, and the incremental steps along the journey even as it is disrupted by internal and external forces.
Failure to plan and account for all of these fronts increases the likelihood something will go wrong—in the sort of way that you wish it wouldn’t.
Second, instead of negatively defining success as preventing attacks, organizations must positively define success as the promotion of resilience. And what is resilience? It’s the state where things going wrong are handled before they make a material impact.
A secure organization is one where threats are identified, disruption is minimized, recovery is rapid, and loss is immaterial. Each of these become inputs into a larger calculation of risk mitigation, and investments become proportional to their impact, ranging from the largely commoditized protective controls to the specific resilience objectives an organization has for detection, response, and recovery.
Historic failures in this regard occur when organizations place a misguided focus on preventing all threats or being strictly satisfied by maintaining compliance. Both are important in their own right, but the first creates a culture fixated on an unattainable (and frankly, less important) goal, while the second creates a ceiling out of what may not even be suitable for a floor.
Thirdly, across nearly every business domain, risk is quantifiable as loss expectancy communicated in dimensions of probability and impact (expressed in your currency of choice)—why should security be the exception?
This last target enables strategic decision makers to compare security risks to other risks the business faces and allocate capital and resources to optimize business outcomes and understand the ROI they’ll realize on their risk strategy.
Fifty “yellow” servers with “critical” vulnerabilities or a data center at risk of disruption from seasonal hurricanes. Which one is worse? And how should an organization choose to prioritize limited resources into a plan of action? Over-privileged, at-risk users with access to sensitive data or failure to meet time-to-market objectives on a new product? And how about a few public-facing web servers on end-of-life run-time environments? Where do they fit into the organization’s priorities? Without a common language of comparison, it is exceptionally difficult for optimal prioritization. To a business, that language ultimately occurs in the context of loss expectancy and ROI.
And there you have it, practical targets for progress on an organization’s security—understanding where and how you’re at risk, understanding that success is about impact and not prevention, and then communicating that insight in a way that resonates with your top-level business stakeholders.
If you’re already aiming at these targets, you’re well on your way to where you want to be. And if you’re not, it’s time to stop focusing on the absence of success and instead break out your security map and compass.