Warning Signs of Security's Decreasing Influence, Part III

Document Sample
Warning Signs of Security's Decreasing Influence, Part III Powered By Docstoc
					                                                Metrics For Success

                                                  Warning Signs of Security’s
                                                Decreasing Influence, Part III
                                                                                                              By George Campbell

                                                            or the past two months, I have          While this closely resembles #3 and others,
                                                            been exploring how to determine         it really goes to the failure to establish a
                                                            the warning signs of security’s         comprehensive, disciplined and ongoing
                                                            decreased effectiveness and             process of incident and workload analy-
                                                            influence. If you cannot answer         sis. What are the trends and the common
                                                “yes” to the following three questions, you         denominators? What steps are working and
                                                may have an influence problem:                      where are the gaps?
                                                     1. Does the security program have the               5. Decreasing engagement of essen-
                                                influence to help eliminate risky business          tial internal partners in matters of clear
                                                practices?                                          security concern. This is not an isolated
                                                     2. Do employees and management                 shortcoming — it is a summary result of all
                                                accept the concept of shared responsibility         the failures mentioned in this series. You
                                                for asset protection?                               have not connected the dots between your
                                                     3. Does management believe the secu-           security and risk message and the responsi-
                                                rity program is adding value?                       bilities of your organization’s employees and
                                                     In my previous two columns I have dis-         business leaders. You either have not spoken
                                                cussed several kinds of warning signs, from         their language or they have tuned you out.
                                                budget reductions without consideration                  I have taken a brief look at 15 danger
                                                of increased risk, to continuing findings of        signals that may indicate failing influence
                                                exploitable vulnerabilities, to unresolved          on critical issues or will clearly damage the
                                                security-related audit findings. I will con-        credibility of the security organization and
                                                clude with five more:                               its leadership. Metrics provide an early warn-
                                                     1. Security is not consulted before man-       ing system — they enable positive influence,
                                                agement makes changes to processes, prod-           action, attitude and policy. You have the data,
                                                ucts or relationships with evident security         now take an objective look at the competence
                                                risk impact. Note the word “evident” in this        of your data management capabilities. What
Description: I would like to invite you to visit the Security Executive Council Web site and download a free PDF of my presentation "A Security Metrics Story: Turning Data Into Metrics." This step-by-step guide on how to build your security metrics program will help you demonstrate security's value through clear alignment with business strategy and objectives. Download it here: www.securityexecutivecouncil.com/smstory.
ProQuest creates specialized information resources and technologies that propel successful research, discovery, and lifelong learning.