HPE Business Insights
Showing results for 
Search instead for 
Do you mean 

5 ways to measure the success of a security and risk management strategy

MylesS on ‎03-12-2012 10:14 AM

Driving Continual Business Value

Security is a front-and-center concern for businesses today. Cyber threats are getting more sophisticated and even more unpredictable. More importantly, the risks associated with getting security and risk management wrong include everything from financial loss, reputation damage, customer loss, lawsuits and even human life. As it turns out, it is a lack of IT coordination between people, process, and technology that actually creates the blind spots attackers exploit. Piling on more software, more processes, and more stopgap measures is simply not a sustainable option.

 

Security is a Cold War Game

Security and risk management has effectively become a cold war game of measures, counter measures, and counter-counter measures. Most recently we’ve seen this on “60 Minutes” (in a piece devoted to the Stuxnet virus) and this week’s press on DuPont. In many cases, the perpetrators are shadow operations (sometimes state-sponsored) and include trained hacking into companies and countries.

 

What is needed to succeed in te never-ending security and risk war is an end-to-end framework that reconciles what are most often disparate functions and silos of security within IT. Only by taking using a framework can you achieve a sustainable approach to protecting your company.

 

 

One thing that is clear, security and risk management have become an increasingly important priority for CIOs and Chief Information Security Officers.

 

More than ever enterprises need to explicitly manage the security, risk and compliance of their entire IT infrastructure by addressing all aspects of enterprise security–people, processes and technology. Key to making this happen is making sure IT assets and resources remain safely under control of CIOs and CISOs.

 

 

 

5 concrete measures for security and risk management

Like other topics that we have been discussing over the last few weeks in this series—converged infrastructure, hybrid delivery, application transformation and information management--concrete measures are needed to prove out the value and quality of the end-to-end security and risk management journey. These measures include the following drawn from IT service management. This is because service management is the living record of success and failure in IT management but more important is the convergence point for people, process, and technology.

 

1)      Number of incidents due to physical security breaches or failures. Ialso like the percent of total incidents that are due to physical security breach or failure because it is an amount that can be viewed month over month and should always be very small.

 

2)      The percentage of emergency changes is another important measure derived from the service management system. This is because in cases where this percentage is high, it can be observed that changes are likely happening without a strong change advisory board. In this case, changes are in reality being documented after the fact. While capturing a compliance record is important, running t IT this way means standards are not being applied and IT infrastructure and business applications are experiencing a higher risk of security lapse than they should be.

 

3)      The percentage of unauthorized implement changes is critical to monitor because where this is above zero, there is no real control over the IT environment. As the number of unauthorized changes increases, the potential for a major security issue also increases significantly.              

   

4)      Percentage of users who do not comply with password standards. The number and type of suspected and actual access violations needs to be driven to a very small number. In fact, a serious IT organization should drive this as close as possible to zero.

 

5)      Mean time to recover from non-compliance. One way to establish better control over the IT environment is to ensure that IT infrastructure conforms to policy standards and is buttoned down. And when it is out of conformance, it is quickly recovered. This KPI goes after this issue directly.

 

COBIT 4 identifies many more measures for security, compliance, and business risks, but the five discussed here represent a great place to start.

       

       Related links:

       Feature:  Peak performance demands precision control

       Solution Brief: IT Security

       Solution page:  IT performance management

       Twitter: @MylesSuer

 

0 Kudos
About the Author

MylesS

Mr. Suer is a senior manager for IT Performance Management. Prior to this role, Mr. Suer headed IT Performance Management Analytics Product Management including IT Financial Management and Executive Scorecard.

Labels
Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference on August 29 - September 1, 2016 to learn from peers in every industry and hear from Big Data experts and thought lea...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference on September 13 - 16, 2016, and is the place to meet the world’s top information security talent, discuss new pr...
Read more
View all