Security Needs To Be Everyone's Responsibility
Metrics mapped to corporate goals
Petrie developed a metrics program that was mapped to corporate goals for the organization. Clarke American, one of the two companies that joined to form Harland Clarke in May 2007, won a prestigious Malcolm Baldridge National Quality Award in 2001; it was the sole recipient in the manufacturing category. Petrie took advantage of this strong culture of quality to develop a centralized and repeatable metrics program. His approach to designing and implementing a security metrics program takes the following steps:
Step 1: Get to know your business and understand the culture: Successful CISOs know how to reach out across teams to understand security’s impact. Petrie founded his security practice on an organization that was already committed to quality. Understanding this foundation was crucial in developing a security program—and later, a metrics program—that had relevancy. He used a lot of the existing measurement process and tools to gather security-related information.
Step 2: Identify business goals: At Harland Clarke, senior executives define key business strategic imperatives. Imperatives are refined annually based on results from the prior year and the company’s overall vision, factoring in marketplace dynamics. The statements define the focus that each business unit needs to align with to plan their actions and define success for their respective areas. Petrie was able to map security initiatives to these business success imperatives.
Step 3: Determine how security can impact corporate goals: Understanding what makes the company successful leads to understanding how security might affect that success.
Petrie crafted security statements based on three core principles: 1) Security is everyone’s responsibility; 2) trust but verify; and 3) protect the confidentiality, assure the integrity, and ensure the availability of the data entrusted to the company.
Step 4: Develop your program on established standards: Leaning on the International Organization for Standardization (ISO) standard 17799 and applying his core principles, Petrie developed a program that was based on a comprehensive yet globally recognized standard.Other standards and frameworks may be more appropriate for other organizations, but it’s essential to look to a proven framework to build out your program. Standards can remove some of the guesswork.
Step 5: Measure the business success of security imperatives: With security imperatives and business goals aligned, Petrie developed targeted and repeatable metrics to measure security’s position and impact over time.
Harland Clarke’s metrics secure executive visibility
Harland Clarke’s security metrics program consists of 33 measurements that are monitored on a periodic basis. Some are measured weekly, others monthly, and yet others quarterly. Each of these is mapped exclusively to the information security organization’s key strategic imperatives. Five of the metrics are selected by executives and are monitored by the executive team on an ongoing basis.
The increased visibility among senior leadership—and the demonstrated results—led to a 100 percent increase in the security budget in the second year of the ISO program. This success was possible because Petrie was able to demonstrate the merit of the program by translating security’s value to key business stakeholders.
Security secrets to success
Get to know your business: Petrie stresses the importance of understanding what it is that makes your business successful. Start with sales to learn how they generate their numbers and revenues. Use marketing techniques and do a strengths, weaknesses, opportunities, and threats (SWOT) analysis to find out how they got successful. Figure out what the key business metrics are and how security could contribute to one or more of them.
Evaluate and re-evaluate your metrics: Metrics should be evaluated when policies change, if new tools are introduced, or if any major change occurs in your environment. It’s important to have a team review the metrics rather than the CISO making the decision on his own. But think of the metrics program as an ongoing effort. You are never done.
Avoid probabilities: Most of Petrie’s metrics are based on actual historical data. Assumptions change over time, and probabilities and estimations can erode credibility and transparency if they are not based on reality. Probabilities should not be used if you don’t have data to back up your assumptions.