As Yogi Berra put it, "If you don't know where you're going, you'll end up someplace else." Do you know where you're going with respect to your privacy and security awareness programs? How will you know when--or if--you get there?
"But wait just a minute," you object. "Everyone knows that security is a process, not a destination. Is there really any such thing as arriving?" Well, of course there is. Just because a process is dynamic doesn't mean it's left without any measurable aspects. Besides, if any process is to be improved, it must also be measured.
There are many benefits an organization will enjoy when it makes those improvements, not the least of which is the budget justification for creating a security awareness program that help will boost security effectiveness overall. Martin Sadler, Director of Security at HP Labs, summed them up thusly: "Organizations that have achieved a high level of security effectiveness are better able to identify major data breaches, secure confidential information, limit physical access to data storage devices, and achieve compliance with legal and self-regulatory frameworks. They are also in a better position to attract and retain high-quality security personnel and enforce corporate policies."
Those benefits have ripple effects throughout the organization--benefits that span protecting the company reputation to increasing customer trust and loyalty. And those translate directly to the bottom line.
Granted, measuring security effectiveness is not as straightforward as measuring a manufacturing process. There are many variables that are simply outside of one's direct control. In fact, a recent ISACA report conceded, "...security is contextual and not an isolated discipline; it depends on the organization and its operations. Furthermore, effective security must take into account the dynamically changing risk environment within which most organizations are expected to survive and thrive." All the more reason that improvements be addressed wherever possible!
In any case, this variability may explain the disparity of results Dr. Kenneth Knapp discovered when he investigated the effectiveness of security programs. He found that while the majority of infosec professionals surveyed believed they were able to secure their information effectively, only 22 percent of them believed so with a high degree of confidence.
Moreover, the survey showed that more than a third did not believe that their organization effectively secures its data. And this is likely understated. Sounds like room for improvement.
When asked about this, Dr. Larry Ponemon of the Ponemon Institute admits that while security effectiveness can be an elusive object to measure, there are highly effective ways of determining it, short of recording incidents of catastrophic failure. So how do we go about making improvements? What, exactly, is it we can measure to determine whether the security awareness program is as effective as it ought to be? In answering these questions, Ponemon begins with identifying the key dimensions of information security effectiveness, which he describes as:
- Uptime: The ability to withstand cyber attacks and avoid costly business disruption.
- Compliance: The ability to achieve compliance with all applicable regulations and laws.
- Threat containment: The ability to prevent or quickly detect external security threats such as cybercrime, social engineering or malicious attacks.
- Cost efficiency: The ability to manage investments in information security and data protection in a competent (non-wasteful) manner.
- Data breach prevention: The ability to prevent or quickly detect internal security threats such as the negligent or incompetent insider.
- Policy enforcement: The ability to monitor and strictly enforce compliance with internal policies, procedures and other security requirements.
Sign up for CIO Asia eNewsletters.