Perhaps you have heard the saying, “What gets measured gets done.” This is business wisdom at its finest. With regards to IT however, what if you feel like you can’t measure certain things? After all, calculating information risks, ROI and so on can be difficult. But it’s probably because you haven’t looked at it deeply enough: The reality is if you step back and look at the big picture, you can indeed measure the critical areas of IT. It's just a matter of metrics.
Metrics can drastically improve your information risk management and compliance initiatives. But you must take the initiative to go down that path. In Keep the Joint Running: A Manifesto for 21st Century Information Technology, Bob Lewis wrote, "Bad metrics are worse than no metrics: If you have no metrics you’re ignorant and know it. Bad metrics, in contrast, give either the wrong answer to the right question or answer the wrong question." I agree.
If you've at least got some semblance of metrics -- no matter how much they need to be tweaked -- you're at least going down the right path. Sadly, many organizations just approach each year with a sequence of events that goes something like this: scan, audit, plug the holes, scan, audit, plug the holes. It’s functional, but it’s probably not the best way to go about managing risks and compliance. Like most areas of any business, there’s always room for improvement.
The reality is that risk management metrics can be tricky, if not downright scary. But they don’t have to be if you follow the proven approach: You must first define what “good” information risk management and compliance mean in your business. Perhaps it’s no breaches? Maybe it’s not getting any dings on your quarterly scans or annual audit reports? One security breach or compliance gap doesn't necessarily mean failure. No security breaches or gaps doesn't necessarily mean success. The key is to look at trends. How effective are your compliance and security measures? Are they efficient enough, or is there still room for improvement? Only you and your fellow business managers can define what matters and ultimately what’s considered a “success” for the business.
Digging in deeper, you need appropriate controls based on the level of risk. Not everything counts the same. You’re likely already taking this approach since many regulations, including HIPAA and GLBA, are risk-based. Part of the initial legwork has already been done. But you have to dig in much deeper. Some questions you need to answer include:
- What do you have of value?
- How is it at risk?
- How are these risks changing over time?
- What's it costing you to manage these risks?
- How much can you afford to lose?
- How successful are your current controls?
- Do you even have the proper insight into what’s taking place in your environment?
- What else can be automated or outsourced to further reduce your risks and improve overall compliance and security?
Think about these areas across all parts of the risk management spectrum, from your information system infrastructure to your data, to your policies and people. Everything matters -- and you better make sure you're looking at everything -- not just what some regulation says. Information risk management is about managing all of your risks across the board.
Risk management metrics must be periodically and consistently measured.
Be aware that you don't want to go at this alone. This is going to require getting others involved -- especially executive management. Information risk management and metrics are not something that one person should manage.
Risk management metrics must be periodically and consistently measured, otherwise you have bad data -- and you can’t run a business on bad data. A snapshot-in-time vulnerability assessment or annual compliance audit aren't enough. The process for gathering risk management metrics data needs to be automated wherever possible. I see lots of organizations that have fancy IT and security monitoring and maintenance systems, but the people in charge are not using them anywhere near their potential. Many others make the choice not to invest in the right tools and, thus, the lack of visibility and insight continues.
The bottom line is that metrics are like goals. They need to be specific, they need to be measurable, they need to have a timeline, and someone somewhere along the line needs to be held accountable. Otherwise, they're mere wishes that lead to delusions that lead to compliance gaps and business risks that you're probably not willing or prepared to take on.
Why not establish a set of risk management metrics and do it the right way from the get-go? Don’t focus on statistics alone. Rather, focus on understanding what's really going on with your information systems. By doing so, you'll be able to get a better handle on what works and what doesn't. Adaptability and continual improvement are must-haves in the world we work in and must eventually become second nature to your business.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Complianceand the newly updated Hacking For Dummies, 3rd edition. In addition, he’s the creator of the Security On Wheels information security audiobooks and blog.
This was first published in September 2010