March 29, 2017 By Kevin Beaver 3 min read

Forward progress. That’s all that can be expected in an information security program, right? After all, if it’s good enough for business leaders and politicians, why wouldn’t it apply to IT and security?

I’m not convinced that forward progress in and of itself is a good strategy, or that it’s reflective of doing what’s right and good in terms of security. As with sports or anything else that requires developed skills, only perfect practice makes perfect. In other words, just because you’re going through the motions with something doesn’t mean you’re any good at it.

A False Sense of Security

In terms of security, your written policies, technical controls, user training programs and the like might look good, but they don’t immediately translate into minimized risks. Based on what we have learned about what we don’t know, including where information is located and how it’s currently at risk, all the money and effort being thrown into security programs simply creates a false sense of security.

So how can you tell when positive things are happening? Is progress defined by security remediation efforts? Perhaps it’s when security commands the attention — and budget — of executive management? I often witness things just getting stalled out with security. Time passes, risks remain the same.

Metrics Makes for Muddy Waters

The road to hell is paved with good intentions, and it’s often jammed full of people hoping to accomplish something with security to show forward motion. I’m not convinced that approach is a good one. With all the business, legal and regulatory requirements impacting security initiatives, there has to be more.

Some people might suggest that you simply need to integrate security metrics into the equation and everything else will fall into place. I think there is value and merit in security metrics, but I have yet to see an organization integrate metrics into its overall program in an effective and efficient manner. Metrics can be complicated, especially for IT and security professionals who do not have backgrounds in business analytics or finance. Furthermore, they can end up muddying the waters, given that there are so many unknowns and intangibles associated with security.

The Makings of a Great Security Program

I’m not convinced that security progress measurement is tangible. I do know, however, that a successful information security program has high visibility and support across the organization. A great program also has a sharp group of motivated individuals who are eager to take proactive steps every day to analyze and minimize known risks. These individuals tend to stick around for years because they know they won’t have it better anywhere else.

A great program not only gets the word out and sets users’ expectations so that they’re part of the team, but it also takes proactive steps to find, understand and resolve security gaps wherever it’s reasonable. Just as importantly, it stays out of the way of users and the business.

When You’re Making Progress, You’ll Know

You’ll know when you’re progressing. You’ll be happy about what you’re doing, and others will be happy about what they’re seeing. Rather than approaching security from an “ignorance is bliss” perspective, you’ll have that gut feeling that good things are happening. Just don’t become complacent. You can’t afford to let your guard down when your confidence is up. Don’t settle for less when backing and budget might become limited. As the saying goes, “good enough” rarely is.

Instead, define your goals and see them through. If you practice what I call relentless incrementalism year after year, you’re guaranteed to make progress that speaks volumes, even when you can’t see it or touch it.

Listen to the podcast: If You Can’t Measure It, You Can’t Manage It

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today