|
Review of Information Security and Risk Management Strategy – Complex or Straightforward Exercise?
by Drazen Drazic |
|
In any strategic planning cycle, performance and strategy re-assessments are a vital component in keeping a strategy effective and up to date.
One way to measure the performance of the Information Security strategy is to develop a set of metrics that include benchmarks across the various phases and sub-phases of the strategy. The goal of the metrics is to help define the strategy framework; communicate the strategy (by specifying performance measures); track performance (by collecting valuable information pertinent to the phase of strategy); increase accountability (by linking metrics to performance appraisals and business plans) and to align objectives of individuals, teams and the organisation itself.
In most cases this is easier said than done but investigation should still be undertaken into the creation of a metrics and strategy re-assessment process that covers at a minimum (thanks Rayport and Jaworski for the inspiration):
• Articulation of the Security Strategy
• Translating Strategy into Desired Outcomes
• Devising Metrics
• Linking Metrics to Leading and Lagging Indicators
• Calculating Current and Target Performance
How complex an exercise is this? In recent weeks I have done a couple of presentations to boards and senior management of organisations who are keen to evaluate the effectiveness of their current strategy(s)?
Are exercises like this 12 month+ plus projects a la Big 4 massive undertakings (costing millions) or can an experienced eye provide the same end results in a fraction of the time? Read on.
My audiences were somewhat gobsmacked when I said we could do this work for them in weeks, (not many months or years). Cost in the thousands – not hundreds of thousands or millions! “How good was the last work done by Big company if you’re already looking for it to be done again?”, I asked. This received nods all round. Fair question?
Now let me emphasise that scope is strategy and not finding every single issue to do with security in the organisation. (That is something different). It is totally though comparing apples with apples vs. what they have received before from Big company – work that has led to little advancement in IT Security and Risk Management practices within the organisations.
Bottom line is that such an exercise is not a complex undertaking. Thus it doesn’t need a long and complex explanation. A good starting point and one that has always worked for us is here: The 7 Reasons why Businesses are Insecure.
You can change the title of this to many things and it’s all the same thing; “Why the IT Security and Risk Management Strategy is failing”, “What are we doing wrong with IT Security?” etc etc….
It doesn’t have to be complex because where the strategy fails in most cases is in basic management and governance and associated accountability and ownership of basic process and controls. It is that simple. I’ve never seen an organisation in a “bad” way in regards to IT Security where the CEO (and/or other senior management) is supportive, is a key stakeholder in all strategy initiatives and is actively involved to ensure the strategy is on track. That says it all in 95%+ of cases.
Do I need to expand further as to why a strategy review to find what is failing and why and what needs to be “fixed up” only need take a short time? Hey, to be honest, in most cases, 95%+ of the report is done in our heads within 15 minutes of starting the conversation/interview with the CEO (and or senior management). The rest of the time is spent confirming we have that 95%+ correct and finding any surprises – and generally we don’t.
“Argh….you’re simplifying this too much Draz”, you might be saying. From my experience, I’m not. Have a think about it and have a good think about it before you do engage someone who tells you it will take 6 months or more to review your corporate IT Security and Risk Management strategy. 
Tags: information security strategy, IT benchmarks, risk management strategy
This entry was posted on Wednesday, July 22nd, 2009 at 8:16 AM and is filed under Community Manager, IT Decision-making, Information Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
|
| Making The Buy For Trust Seal For ease of access, we have added a 'Buy' button to the very top of the Trust Seal landing page. This helps to ensure that it is easily visible and accessible to users and that it doesn't get missed further... VeriSign At SES The VeriSign Authentication team was at SES last week talking up the VeriSign Trust Seal which was recently launched in February, and Seal-in-Search - a service where search engine users can see the VeriSign Trust Seal next to sites protected... VeriSign Now a Symantec Company We are very excited to be a Symantec company! If you haven't already heard, VeriSign has been acquired by Symantec. The deal was made official on August 9, 2010. We are very excited about new opportunities for increasing and offering... |
|
| PayPal UK Launch Security Key - Guest Posting from PayPal I am happy to say they are using VeriSign Identity Protection to deliver this, which means that PayPal Customers will be able to use their token at other sites who join the VIP network. PayPal are the first UK members of the network, but there are around 30 other members in different countries around the world so you can expect to see more places where you can use your token in the UK appearing shortly. Facebook scam - Part 2 This just in from the BBC web site, Symantec have identified a virus that steals user names and passwords, nothing new there. But, if I understand this right, it is delivered through a Facebook invitation from someone you don't know and delivers malware which can then steal user names / passwords and also keylog credit card info. Survey finds passwords are not secure - well d'uh! I don't think the vendor community has been crying wolf about the problems that stronger authentication solves, more like highlighting that this problem is here and growing. Well the discussion I have had recently with many different organisations across many different industries are now resulting in more and more consumer projects in this area |
|
| Cloud Identity, Trust and the Liability Elephant. I have been involved with a couple similar initiatives around certification for identity and thought it would be interesting to explain the logic behind these efforts. The first initiative is led by the Open Identity Exchange and is based on... Greek Heroes, Facebook and Trust When Achilles was a baby, the oracle predicted that he would die in battle from an arrow. Thetis, Achilles' mother who did not want her son to die decided to dip Achilles' body into the water of a river that... PCI for the Cloud For most enterprise and security vendors, the cloud is fascinating both as a technology and a business disruptor. In fact, SAAS CEOs such as Successfactor, SalesForce and NetSuite are hot shots in Silicon Valley these days. Yet, most of us... |
|
