March 29, 2017 By Kevin Beaver 3 min read

Forward progress. That’s all that can be expected in an information security program, right? After all, if it’s good enough for business leaders and politicians, why wouldn’t it apply to IT and security?

I’m not convinced that forward progress in and of itself is a good strategy, or that it’s reflective of doing what’s right and good in terms of security. As with sports or anything else that requires developed skills, only perfect practice makes perfect. In other words, just because you’re going through the motions with something doesn’t mean you’re any good at it.

A False Sense of Security

In terms of security, your written policies, technical controls, user training programs and the like might look good, but they don’t immediately translate into minimized risks. Based on what we have learned about what we don’t know, including where information is located and how it’s currently at risk, all the money and effort being thrown into security programs simply creates a false sense of security.

So how can you tell when positive things are happening? Is progress defined by security remediation efforts? Perhaps it’s when security commands the attention — and budget — of executive management? I often witness things just getting stalled out with security. Time passes, risks remain the same.

Metrics Makes for Muddy Waters

The road to hell is paved with good intentions, and it’s often jammed full of people hoping to accomplish something with security to show forward motion. I’m not convinced that approach is a good one. With all the business, legal and regulatory requirements impacting security initiatives, there has to be more.

Some people might suggest that you simply need to integrate security metrics into the equation and everything else will fall into place. I think there is value and merit in security metrics, but I have yet to see an organization integrate metrics into its overall program in an effective and efficient manner. Metrics can be complicated, especially for IT and security professionals who do not have backgrounds in business analytics or finance. Furthermore, they can end up muddying the waters, given that there are so many unknowns and intangibles associated with security.

The Makings of a Great Security Program

I’m not convinced that security progress measurement is tangible. I do know, however, that a successful information security program has high visibility and support across the organization. A great program also has a sharp group of motivated individuals who are eager to take proactive steps every day to analyze and minimize known risks. These individuals tend to stick around for years because they know they won’t have it better anywhere else.

A great program not only gets the word out and sets users’ expectations so that they’re part of the team, but it also takes proactive steps to find, understand and resolve security gaps wherever it’s reasonable. Just as importantly, it stays out of the way of users and the business.

When You’re Making Progress, You’ll Know

You’ll know when you’re progressing. You’ll be happy about what you’re doing, and others will be happy about what they’re seeing. Rather than approaching security from an “ignorance is bliss” perspective, you’ll have that gut feeling that good things are happening. Just don’t become complacent. You can’t afford to let your guard down when your confidence is up. Don’t settle for less when backing and budget might become limited. As the saying goes, “good enough” rarely is.

Instead, define your goals and see them through. If you practice what I call relentless incrementalism year after year, you’re guaranteed to make progress that speaks volumes, even when you can’t see it or touch it.

Listen to the podcast: If You Can’t Measure It, You Can’t Manage It

More from Risk Management

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today