March 29, 2017 By Kevin Beaver 3 min read

Forward progress. That’s all that can be expected in an information security program, right? After all, if it’s good enough for business leaders and politicians, why wouldn’t it apply to IT and security?

I’m not convinced that forward progress in and of itself is a good strategy, or that it’s reflective of doing what’s right and good in terms of security. As with sports or anything else that requires developed skills, only perfect practice makes perfect. In other words, just because you’re going through the motions with something doesn’t mean you’re any good at it.

A False Sense of Security

In terms of security, your written policies, technical controls, user training programs and the like might look good, but they don’t immediately translate into minimized risks. Based on what we have learned about what we don’t know, including where information is located and how it’s currently at risk, all the money and effort being thrown into security programs simply creates a false sense of security.

So how can you tell when positive things are happening? Is progress defined by security remediation efforts? Perhaps it’s when security commands the attention — and budget — of executive management? I often witness things just getting stalled out with security. Time passes, risks remain the same.

Metrics Makes for Muddy Waters

The road to hell is paved with good intentions, and it’s often jammed full of people hoping to accomplish something with security to show forward motion. I’m not convinced that approach is a good one. With all the business, legal and regulatory requirements impacting security initiatives, there has to be more.

Some people might suggest that you simply need to integrate security metrics into the equation and everything else will fall into place. I think there is value and merit in security metrics, but I have yet to see an organization integrate metrics into its overall program in an effective and efficient manner. Metrics can be complicated, especially for IT and security professionals who do not have backgrounds in business analytics or finance. Furthermore, they can end up muddying the waters, given that there are so many unknowns and intangibles associated with security.

The Makings of a Great Security Program

I’m not convinced that security progress measurement is tangible. I do know, however, that a successful information security program has high visibility and support across the organization. A great program also has a sharp group of motivated individuals who are eager to take proactive steps every day to analyze and minimize known risks. These individuals tend to stick around for years because they know they won’t have it better anywhere else.

A great program not only gets the word out and sets users’ expectations so that they’re part of the team, but it also takes proactive steps to find, understand and resolve security gaps wherever it’s reasonable. Just as importantly, it stays out of the way of users and the business.

When You’re Making Progress, You’ll Know

You’ll know when you’re progressing. You’ll be happy about what you’re doing, and others will be happy about what they’re seeing. Rather than approaching security from an “ignorance is bliss” perspective, you’ll have that gut feeling that good things are happening. Just don’t become complacent. You can’t afford to let your guard down when your confidence is up. Don’t settle for less when backing and budget might become limited. As the saying goes, “good enough” rarely is.

Instead, define your goals and see them through. If you practice what I call relentless incrementalism year after year, you’re guaranteed to make progress that speaks volumes, even when you can’t see it or touch it.

Listen to the podcast: If You Can’t Measure It, You Can’t Manage It

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today