Defining Security Success
“Defining success” sounds like a track that belongs at some second-rate professional networking event. You know the type: the smell of stale coffee wafting across a dimly-lit room where all you can make out are the the keynote speaker’s bleached-white teeth protruding from his motor-mouth that never stops spewing overly-obvious “advice” into the venue’s cheaply-made microphone. But all kidding aside, I pose a serious question: how will your security initiative ever achieve success if you don’t know what it looks like in the first place?
Defining success seems like a trivial principle, yet I’m consistently shocked to see just how few security programs actually have a plan for success. They’re instead managed in a myopic project-by-project fashion, or worse, as reactive “catch-all” efforts to the never-ending torrent of random security distractions that agitate every enterprise.
So, where does one begin to define a vision for success? Here’s a hint: it’s not done by identifying obvious problems and fixing them one-by-one. Such behavior is the hallmark of reactive management styles. This “firefighter” methodology aims to abolish security issues, but logically speaking, the absence of obvious issues does not necessarily guarantee an improved security posture.
So what separates firefighter-style security management from imaginative leadership? It’s the ability to build concrete visions of future-state success which the entire organization can execute on; specifically without excessive hand-holding from you as a security leader. In the same way we don’t see coaches kicking a football around the field on game day, security leaders must define impactful outcomes (and the rules of engagement) so that everyone else in enterprise can contribute to success with the least amount of coaching possible.
Put simply, one must know what success looks like before it can be achieved. Otherwise, your career in security will be a purely reactive and studded with haphazard results.
There’s a million ways to build a success framework, but regardless of the method, three key ingredients are paramount: prioritization criteria, measurement, and proper socialization.
In terms of prioritization, it would be marvelous if we as security leaders could simply pull up a chair to the executive table and ask for a copy of the initiatives we’re expected to work on. Unfortunately, the real-world is far more convoluted and volatile. Competing priorities will diffuse security focus, and security leaders cannot hold their breath for some miraculous program management office to descend from heavens and reconcile the security portfolio for them. Yet one road to self-sufficiency is to build a prioritization scheme based on criteria that can enable various efforts to be “scored” in a ranking style. Examples of scoring criteria include profit, efficiency, time-to-market, and so on. The point is, there will be a time when two or more efforts compete for your team’s attention, and you’ll need a pragmatic means of breaking the contention. This is what prioritization criteria is all about.
Measurements on the other hand convey performance, and they should be qualitative and quantitative, as both are complimentary. I personally like to set the stage with the qualitative measures (“getting our cloud app certified will increase customer confidence and lift sales”) then drive home impact with the quantitative measurements (“security automation will provide 10x more visibility with half the staff”). In addition to gauging performance, metrics and measures also serve as concrete justification criteria for budgets.
Socializing Your Vision
Defining a security vision and building supporting measures are excellent first steps in designing a successful security or risk management program. But if you fail to socialize the plan, solicit feedback, and make necessary cultural tweaks to acclimate plans to the enterprise climate, your program is certainly going to face challenges. Socialization should have a 360-degree perspective that incorporates feedback from superiors, subordinates, and every stakeholder in between. As good as your plan sounds on paper, others will surely lend invaluable advice.