In any strategic planning cycle, performance and strategy re-assessments are a vital component in keeping a strategy effective and up to date.
One way to measure the performance of the Information Security strategy is to develop a set of metrics that include benchmarks across the various phases and sub-phases of the strategy. The goal of the metrics is to help define the strategy framework; communicate the strategy (by specifying performance measures); track performance (by collecting valuable information pertinent to the phase of strategy); increase accountability (by linking metrics to performance appraisals and business plans) and to align objectives of individuals, teams and the organisation itself.
In most cases this is easier said than done but investigation should still be undertaken into the creation of a metrics and strategy re-assessment process that covers at a minimum (thanks Rayport and Jaworski for the inspiration):
• Articulation of the Security Strategy
• Translating Strategy into Desired Outcomes
• Devising Metrics
• Linking Metrics to Leading and Lagging Indicators
• Calculating Current and Target Performance
How complex an exercise is this? In recent weeks I have done a couple of presentations to boards and senior management of organisations who are keen to evaluate the effectiveness of their current strategy(s)?
Are exercises like this 12 month+ plus projects a la Big 4 massive undertakings (costing millions) or can an experienced eye provide the same end results in a fraction of the time? Read on.
My audiences were somewhat gobsmacked when I said we could do this work for them in weeks, (not many months or years). Cost in the thousands – not hundreds of thousands or millions! “How good was the last work done by Big company if you’re already looking for it to be done again?”, I asked. This received nods all round. Fair question?
Now let me emphasise that scope is strategy and not finding every single issue to do with security in the organisation. (That is something different). It is totally though comparing apples with apples vs. what they have received before from Big company – work that has led to little advancement in IT Security and Risk Management practices within the organisations.
Bottom line is that such an exercise is not a complex undertaking. Thus it doesn’t need a long and complex explanation. A good starting point and one that has always worked for us is here: The 7 Reasons why Businesses are Insecure.
You can change the title of this to many things and it’s all the same thing; “Why the IT Security and Risk Management Strategy is failing”, “What are we doing wrong with IT Security?” etc etc….
It doesn’t have to be complex because where the strategy fails in most cases is in basic management and governance and associated accountability and ownership of basic process and controls. It is that simple. I’ve never seen an organisation in a “bad” way in regards to IT Security where the CEO (and/or other senior management) is supportive, is a key stakeholder in all strategy initiatives and is actively involved to ensure the strategy is on track. That says it all in 95%+ of cases.
Do I need to expand further as to why a strategy review to find what is failing and why and what needs to be “fixed up” only need take a short time? Hey, to be honest, in most cases, 95%+ of the report is done in our heads within 15 minutes of starting the conversation/interview with the CEO (and or senior management). The rest of the time is spent confirming we have that 95%+ correct and finding any surprises – and generally we don’t.
“Argh….you’re simplifying this too much Draz”, you might be saying. From my experience, I’m not. Have a think about it and have a good think about it before you do engage someone who tells you it will take 6 months or more to review your corporate IT Security and Risk Management strategy.