7

How do security professionals measure their success and how do they communicate this to others in their organizations?

The way I see it, if no security incidents occur then either the security team is doing a good job, there was no threat to begin with, or it's only a matter of time before an incident does occur. If a security incident occurs, then clearly the security team has failed.

It seems like workers in security are in a lose-lose situation: having to justify their existence when times are good or explaining why they performed their jobs to a reasonable standard when things go wrong. Is this really how it is?

qce88
  • 73
  • 2
  • it pretty much is exactly like that... – architekt Jul 23 '18 at 06:21
  • This is why almost every security function I've interacted with (and that's a lot, selling a tool to help with GDPR) has an almost obsessive compulsive approach to following every last edict of every single policy. That way, when it blows up, "I followed procedure, not my problem". Of course, if you're the guy writing the book, things start to look a little hairier, until you realise you're held to a different standard... "Industry best practice". As long as you've followed industry standard for your level of risk, you're _probably_ fine. – Basic Jul 24 '18 at 01:30

2 Answers2

7

Many people, including many security professionals, see security in binary terms: we are either secure or we are not. This is a ludicrous perspective from all sides.

Security is about understanding, measuring, and managing risk.

To put this in terms of your proposed lens of 'success':

  1. Have we been unsurprised by a threat and the impact that materialised?
  2. Have we been monitoring and calculating the impact of the threats we do know about and the effectiveness of our mitigations compared to the threats and impacts that materialised?
  3. Have we been adjusting our mitigations in response to evolving threats so that when they materialise, the impact is tolerable?

If we can say "yes" to those, then we have been successful.

That's how you measure the success of a security program of an organisation, and that's how you measure your personal success as a security professional.

Chasing the state of "secure" is a silly task, especially considering the reality of 0-days and the fact that the secure operation of an organisation is entirely up to non-security people (and even security people get it wrong sometimes).

The path to success is about risk and resiliency.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Right, this is infosec 101. I guess what I really meant to ask was: how does this typically play out when it’s time for performance reviews? It seems like charisma and persuasiveness are necessary skills for survival in security... – qce88 Jul 23 '18 at 11:04
  • That's a completely different question and more suited for workplace.stackexchange.com. Your performance reviews need to be measured against objective, not subjective, performance metrics. – schroeder Jul 23 '18 at 11:28
  • +1 for the use of the word "unsurprised" - among other reasons. – Tom K. Jul 24 '18 at 08:22
  • 1
    @TomK. "Not *if* but *when*" - which means we need to be prepared to take anything that happens in stride. – schroeder Jul 24 '18 at 08:23
0

There are Positive and Negative measurements, it depends on how we implement the measurements.

Some examples are as follows:

Positive Measurements:

  1. Decrease Reported Incidents - Percentage decrease in security breaches reported to the Service Desk
  2. Decrease in impact of security incidents - Percentage decrease in the impact of security breaches and incidents
  3. Increase in SLA conformance - Percentage increase in SLA conformance to security clauses.

Negative Measurements:

  1. Conformance to compliance and Policy – Number of incident breaches Compliance & Policy
  2. Number of Implemented Preventive Measures - Number of preventive security measures which were implemented in response to identified security threats
  3. Implementation Duration - Duration from the identification of a security threat to the implementation of a suitable counter measure
  4. Number of Major Security Incidents - Number of identified security incidents, classified by severity category
  5. Number of Security Related Service Down times - Number of security incidents causing service interruption or reduced availability
  6. Number of Security Tests Number of security tests and training carried out
  7. Number of Identified Shortcomings during Security Tests - Number of identified shortcomings in security mechanisms which were identified during tests

Source: http://www.isaca.org/Groups/Professional-English/itil/GroupDocuments/IT_Security_Management_ITILv3_KPIs_.pdf

Sayan
  • 2,033
  • 1
  • 11
  • 21
  • These are KPIs, yes, but not measures of *success*. Measuring *success* is a layer on top of KPIs (defined by what is expected and what trends are desired). You do not present any of these KPIs to management, for example (or in performance reviews). These must be presented in such a way as to show whether those numbers are good, bad, trending well, or on target. – schroeder Jul 24 '18 at 08:16
  • Believe any Business/Operational success is represented with Smart objective/KPI... – Sayan Jul 24 '18 at 14:35
  • Kpis never measure success. Success is metadata. – schroeder Jul 24 '18 at 14:36