Forward progress. That’s all that can be expected in an information security program, right? After all, if it’s good enough for business leaders and politicians, why wouldn’t it apply to IT and security?

I’m not convinced that forward progress in and of itself is a good strategy, or that it’s reflective of doing what’s right and good in terms of security. As with sports or anything else that requires developed skills, only perfect practice makes perfect. In other words, just because you’re going through the motions with something doesn’t mean you’re any good at it.

A False Sense of Security

In terms of security, your written policies, technical controls, user training programs and the like might look good, but they don’t immediately translate into minimized risks. Based on what we have learned about what we don’t know, including where information is located and how it’s currently at risk, all the money and effort being thrown into security programs simply creates a false sense of security.

So how can you tell when positive things are happening? Is progress defined by security remediation efforts? Perhaps it’s when security commands the attention — and budget — of executive management? I often witness things just getting stalled out with security. Time passes, risks remain the same.

Metrics Makes for Muddy Waters

The road to hell is paved with good intentions, and it’s often jammed full of people hoping to accomplish something with security to show forward motion. I’m not convinced that approach is a good one. With all the business, legal and regulatory requirements impacting security initiatives, there has to be more.

Some people might suggest that you simply need to integrate security metrics into the equation and everything else will fall into place. I think there is value and merit in security metrics, but I have yet to see an organization integrate metrics into its overall program in an effective and efficient manner. Metrics can be complicated, especially for IT and security professionals who do not have backgrounds in business analytics or finance. Furthermore, they can end up muddying the waters, given that there are so many unknowns and intangibles associated with security.

The Makings of a Great Security Program

I’m not convinced that security progress measurement is tangible. I do know, however, that a successful information security program has high visibility and support across the organization. A great program also has a sharp group of motivated individuals who are eager to take proactive steps every day to analyze and minimize known risks. These individuals tend to stick around for years because they know they won’t have it better anywhere else.

A great program not only gets the word out and sets users’ expectations so that they’re part of the team, but it also takes proactive steps to find, understand and resolve security gaps wherever it’s reasonable. Just as importantly, it stays out of the way of users and the business.

When You’re Making Progress, You’ll Know

You’ll know when you’re progressing. You’ll be happy about what you’re doing, and others will be happy about what they’re seeing. Rather than approaching security from an “ignorance is bliss” perspective, you’ll have that gut feeling that good things are happening. Just don’t become complacent. You can’t afford to let your guard down when your confidence is up. Don’t settle for less when backing and budget might become limited. As the saying goes, “good enough” rarely is.

Instead, define your goals and see them through. If you practice what I call relentless incrementalism year after year, you’re guaranteed to make progress that speaks volumes, even when you can’t see it or touch it.

Listen to the podcast: If You Can’t Measure It, You Can’t Manage It

more from Risk Management

A Response Guide for New NSA and CISA Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) recently published a report highlighting a range of critical security vulnerabilities requiring attention from organizations of all types. The report was published with input from the National Security Agency (NSA) and similar agencies worldwide. It should be considered essential reading.  Many of the vulnerabilities in the report are not new. Instead, the report…