Metrics for success

Security's "alignment" with the business objectives we serve seems to have some traction in our communications and literature these days. In my various venues of engagement with colleagues, I get a lot of questions about how we can demonstrate with our metrics that we have a positive connection to the core business strategy and objectives.

Why is this a relevant, important issue for us? A few of you reading this will not even pause on this question, because you have frequent demonstrations of connection to the business. Many others do not have the continuing link to the value equation and fail to see the need for the connection; and/or fail to spend quality time trying to understand and influence management's perception of our services' return on investment.

The radar chart to the right shows a separate axis for each category of key risk indicator with an assessment of where we are vs. where we would like to be on a 1-5 scale. Think about what you would choose to demonstrate your security department's relationship with the business. This simple representation puts forth seven criteria that I believe are reliable indicators of a qualitative connection to business strategy and objectives. Start at the top and go clockwise. Measure your program against the following:

Security's contribution to the success of the business. This is a fundamental issue, and it needs work. If this has been left out of Security's mission statement, it is time to reset some big switches. How is "success" measured in your business? Is there any connection to managing risk, safe workplaces, protecting customers, safe products, trusted relationships or simply doing the right things? Have you asked your boss or anyone in senior management how they see a good security program contributing to business success? Our assessment here is a 2.5 vs. a target of 4.

Identification and escalation of security-related issues. How educated, proactive and timely are business units in recognizing risk and reporting their concerns to Security? If you say "not very," ask yourself how well you have understood their operational risks and whether you have provided them with the tools to fulfill their responsibilities. In this case, one of you is significantly missing the mark.

Business ownership of security risks and controls. I would not be surprised if this obvious lack of ownership at the business unit level is the root cause of the need noted directly above. A company that believes that "security" is owned by you has either been misinformed by you or fails to understand any commonsense notion of delegated accountability. Again, badly missing the mark.

The business' knowledge and understanding of security and security's understanding of the business. I know we're skipping around a little here, but these two considerations share the same DNA. Where there is evidence of various security programs proactively addressing risky business processes, there likely is an institutional commitment to shared responsibility for enterprise protection. We are closer in this case, and improvement will come if the parties address some of the issues outlined above.

Management's appetite for security-related risk. I think there is a direct link between the disconnects noted above and management's excessive acceptance of security-related risk. Security has not provided a business case focused on current examples of verifiable risk exposure, and this has spilled over into the lack of ownership and identification of security risk issues.

Security program maturity and acceptance. This CSO has been a bit self-serving here, in my view. If some of the prior assessments were honest and collaborative, I think this category deserves more of a 3 than a 4. Better acceptance would not have resulted in the disconnects we have seen, and more maturity can be found in a fundamentally improved knowledge and connection with the businesses security serves.