|
Review of Information Security and Risk Management Strategy – Complex or Straightforward Exercise?
by Drazen Drazic |
|
In any strategic planning cycle, performance and strategy re-assessments are a vital component in keeping a strategy effective and up to date.
One way to measure the performance of the Information Security strategy is to develop a set of metrics that include benchmarks across the various phases and sub-phases of the strategy. The goal of the metrics is to help define the strategy framework; communicate the strategy (by specifying performance measures); track performance (by collecting valuable information pertinent to the phase of strategy); increase accountability (by linking metrics to performance appraisals and business plans) and to align objectives of individuals, teams and the organisation itself.
In most cases this is easier said than done but investigation should still be undertaken into the creation of a metrics and strategy re-assessment process that covers at a minimum (thanks Rayport and Jaworski for the inspiration):
• Articulation of the Security Strategy
• Translating Strategy into Desired Outcomes
• Devising Metrics
• Linking Metrics to Leading and Lagging Indicators
• Calculating Current and Target Performance
How complex an exercise is this? In recent weeks I have done a couple of presentations to boards and senior management of organisations who are keen to evaluate the effectiveness of their current strategy(s)?
Are exercises like this 12 month+ plus projects a la Big 4 massive undertakings (costing millions) or can an experienced eye provide the same end results in a fraction of the time? Read on.
My audiences were somewhat gobsmacked when I said we could do this work for them in weeks, (not many months or years). Cost in the thousands – not hundreds of thousands or millions! “How good was the last work done by Big company if you’re already looking for it to be done again?”, I asked. This received nods all round. Fair question?
Now let me emphasise that scope is strategy and not finding every single issue to do with security in the organisation. (That is something different). It is totally though comparing apples with apples vs. what they have received before from Big company – work that has led to little advancement in IT Security and Risk Management practices within the organisations.
Bottom line is that such an exercise is not a complex undertaking. Thus it doesn’t need a long and complex explanation. A good starting point and one that has always worked for us is here: The 7 Reasons why Businesses are Insecure.
You can change the title of this to many things and it’s all the same thing; “Why the IT Security and Risk Management Strategy is failing”, “What are we doing wrong with IT Security?” etc etc….
It doesn’t have to be complex because where the strategy fails in most cases is in basic management and governance and associated accountability and ownership of basic process and controls. It is that simple. I’ve never seen an organisation in a “bad” way in regards to IT Security where the CEO (and/or other senior management) is supportive, is a key stakeholder in all strategy initiatives and is actively involved to ensure the strategy is on track. That says it all in 95%+ of cases.
Do I need to expand further as to why a strategy review to find what is failing and why and what needs to be “fixed up” only need take a short time? Hey, to be honest, in most cases, 95%+ of the report is done in our heads within 15 minutes of starting the conversation/interview with the CEO (and or senior management). The rest of the time is spent confirming we have that 95%+ correct and finding any surprises – and generally we don’t.
“Argh….you’re simplifying this too much Draz”, you might be saying. From my experience, I’m not. Have a think about it and have a good think about it before you do engage someone who tells you it will take 6 months or more to review your corporate IT Security and Risk Management strategy. 
Tags: information security strategy, IT benchmarks, risk management strategy
This entry was posted on Wednesday, July 22nd, 2009 at 8:16 AM and is filed under Community Manager, IT Decision-making, Information Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
|
| Impact of Design On Trust We attended RSA 2010 this week where VeriSign was a Platinum Sponsor. Executive Chairman, Jim Bidzos, gave a Keynote Address on the 'Internet and Trust' explaining that without trust, people are less likely to freely share information or transact online.... Launch of VeriSign Trust Seal With the launch of the VeriSign TrustTM Seal last week, we introduced a new section to the Website dedicated to the Trust Seal. The Seal enables Websites to communicate that they are a trusted site to do business with and... New Video Player Experience Videos on www.verisign.com have a new look and feel. Users will experience an improved delivery of videos that are optimized for their available bandwidth. During playback when hovering over the video, users now have the ability to quickly share (e-mail,... |
|
| PayPal UK Launch Security Key - Guest Posting from PayPal I am happy to say they are using VeriSign Identity Protection to deliver this, which means that PayPal Customers will be able to use their token at other sites who join the VIP network. PayPal are the first UK members of the network, but there are around 30 other members in different countries around the world so you can expect to see more places where you can use your token in the UK appearing shortly. Facebook scam - Part 2 This just in from the BBC web site, Symantec have identified a virus that steals user names and passwords, nothing new there. But, if I understand this right, it is delivered through a Facebook invitation from someone you don't know and delivers malware which can then steal user names / passwords and also keylog credit card info. Survey finds passwords are not secure - well d'uh! I don't think the vendor community has been crying wolf about the problems that stronger authentication solves, more like highlighting that this problem is here and growing. Well the discussion I have had recently with many different organisations across many different industries are now resulting in more and more consumer projects in this area |
|
| Open Identity Exchange: enabling all the VISAs of identity The Open Identity Exchange was launched this morning at the RSA conference in San Francisco. It is a significant step for federated identity as it will enable US government web sites such as the NIH to embrace open identity standards... Rethinking Internet Trust and Reputation Today, we are launching the VeriSign Trust Seal, a new service for small and medium businesses with an online presence. It is a big day for everyone at VeriSign who has been working really hard on the new service the... Google Hacked or Why the Cyber World Could Get M.A.D** As the world already knows, Google and a few other prominent US companies got severely hacked around Christmas time last year. Sophos has an interesting analysis of the exploit. Web malware and a zero day vulnerability in IE6 were... |
|
