Cool as McCumber

The feedback loop

A feedback loop is also a vital component of your security management program. You'll not likely have online survey tools or a security blog, but you do have feedback loops that need to be maintained. Sometimes that feedback comes disguised as compliance metrics. These are the checkboxes and numbers passed up the chain of command to demonstrate your compliance with regulations, laws, polices and guidelines. Most security professionals have compliance standards they need to meet; however, they aren't the real story.

Our security programs cannot be defined and managed simply by compliance with statutes. A great security program is one where those in charge understand how well they inculcate a security culture within their organization. The efficacy of such a program focuses on the human element. In other words, gaining and weighing feedback on how the program is perceived and supported by non-security personnel. Do they feel they have a stake in protecting the organization's major assets - people, property and information? You need to establish and maintain a feedback loop on that critical element from those you support.

But if you just want a restaurant referral in Italy, call my wife. I'm too busy checking for dust on my baseboards.

John McCumber is a security and risk professional, and is the author of "Assessing and Managing Security Risk in IT Systems: A Structured Methodology," from Auerbach Publications. If you have a comment or question for him, please e-mail John at: