Forward progress. That’s all that can be expected in an information security program, right? After all, if it’s good enough for business leaders and politicians, why wouldn’t it apply to IT and security?

I’m not convinced that forward progress in and of itself is a good strategy, or that it’s reflective of doing what’s right and good in terms of security. As with sports or anything else that requires developed skills, only perfect practice makes perfect. In other words, just because you’re going through the motions with something doesn’t mean you’re any good at it.

A False Sense of Security

In terms of security, your written policies, technical controls, user training programs and the like might look good, but they don’t immediately translate into minimized risks. Based on what we have learned about what we don’t know, including where information is located and how it’s currently at risk, all the money and effort being thrown into security programs simply creates a false sense of security.

So how can you tell when positive things are happening? Is progress defined by security remediation efforts? Perhaps it’s when security commands the attention — and budget — of executive management? I often witness things just getting stalled out with security. Time passes, risks remain the same.

Metrics Makes for Muddy Waters

The road to hell is paved with good intentions, and it’s often jammed full of people hoping to accomplish something with security to show forward motion. I’m not convinced that approach is a good one. With all the business, legal and regulatory requirements impacting security initiatives, there has to be more.

Some people might suggest that you simply need to integrate security metrics into the equation and everything else will fall into place. I think there is value and merit in security metrics, but I have yet to see an organization integrate metrics into its overall program in an effective and efficient manner. Metrics can be complicated, especially for IT and security professionals who do not have backgrounds in business analytics or finance. Furthermore, they can end up muddying the waters, given that there are so many unknowns and intangibles associated with security.

The Makings of a Great Security Program

I’m not convinced that security progress measurement is tangible. I do know, however, that a successful information security program has high visibility and support across the organization. A great program also has a sharp group of motivated individuals who are eager to take proactive steps every day to analyze and minimize known risks. These individuals tend to stick around for years because they know they won’t have it better anywhere else.

A great program not only gets the word out and sets users’ expectations so that they’re part of the team, but it also takes proactive steps to find, understand and resolve security gaps wherever it’s reasonable. Just as importantly, it stays out of the way of users and the business.

When You’re Making Progress, You’ll Know

You’ll know when you’re progressing. You’ll be happy about what you’re doing, and others will be happy about what they’re seeing. Rather than approaching security from an “ignorance is bliss” perspective, you’ll have that gut feeling that good things are happening. Just don’t become complacent. You can’t afford to let your guard down when your confidence is up. Don’t settle for less when backing and budget might become limited. As the saying goes, “good enough” rarely is.

Instead, define your goals and see them through. If you practice what I call relentless incrementalism year after year, you’re guaranteed to make progress that speaks volumes, even when you can’t see it or touch it.

Listen to the podcast: If You Can’t Measure It, You Can’t Manage It

More from Risk Management

2022 Industry Threat Recap: Finance and Insurance

The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

And Stay Out! Blocking Backdoor Break-Ins

Backdoor access was the most common threat vector in 2022. According to the 2023 IBM Security X-Force Threat Intelligence Index, 21% of incidents saw the use of backdoors, outpacing perennial compromise favorite ransomware, which came in at just 17%. The good news? In 67% of backdoor attacks, defenders were able to disrupt attacker efforts and lock digital doorways before ransomware payloads were deployed. The not-so-great news? With backdoor access now available at a bargain price on the dark web, businesses…

Cyber Storm Predicted at the 2023 World Economic Forum

According to the Global Cybersecurity Outlook 2023, 93% of cybersecurity leaders and 86% of business leaders think a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years. Additionally, 43% of organizational leaders think it is likely that a cyberattack will affect their organization severely in the next two years. With cybersecurity concerns on everyone’s mind, the topic received top billing at the recent World Economic Forum’s Annual Meeting 2023 in Davos, Switzerland. At the meeting, Matthew…

Remote Employees: Update Your Routers (and More WFH IT Tips)

As a business owner or manager, you must ensure your employees have the right tools and resources to do their jobs well — especially with more people working from home. And IT infrastructure is one of the most important considerations regarding remote work. However, the truth is that most employees don’t think about their IT infrastructure until something goes wrong. In many cases, this can leave an employee stranded and unable to complete their tasks. In a worst-case scenario, this…