The following article was published in Security Magazine on May 1, 2018. You can read the full article here
This month I want to share with you a refreshing thought exercise that came from a discussion with several senior risk and security executives around the construction of their next generation security programs if they had a greenfield opportunity to create it from a blank canvas.
They were asked if they could articulate the key steps they would take. The comments were inspiring and challenging.
- Culture. Everyone seemed to agree, if they were performing an assessment to create the baseline for a program, they would start with an assessment of the organizational culture, including their culture of care towards the employee. Then they would take this and gauge the culture of the security program to see the level of alignment between the two. Finally, we then would be able to gauge whether the vendors are being evaluated for their cultural knowledge and behavior as one of the ways we measure their ability to serve us.
- Metrics of Performance. Anchoring culture are measures of performance that are used to drive an organization’s success. Cultures can be toxic or invigorating when applying performance measures. If security is seen as mission-critical to the organization’s success, invariably they have created their own measures of performance at the people, program and process level. And these measures would be aligned with the organization’s.
- Technology Acquisition, Maintenance and Sustainable Performance. As stated above, we have people performing roles in a process. But they also use tools. And most of these tools are technology devices and software that allow them to aggregate data, understand it, and take appropriate action. However, this technology must be maintained and monitored. We are no longer an industry that is locked into a door construction market where the hardware is never maintained after installation. When acquiring technology, we must have a plan for the sustainability of our deployed technology’s optimum performance over time which includes the active monitoring of its cyber defensibility and its use patterns by our employees and subsequent updates to software to help mitigate the risk.
Once these pillars are established, we can begin to create use cases to assess a technology solution’s value while using these core performance measures. Use cases would describe the process by which an outcome would be delivered whether it is through the devices interoperating with each other, and/or through a combination of people, performing roles using technology. The way these use cases are developed would also be a measure of performance for the consultants and integrators who serve you.
What I found in speaking with most security managers and executives is that most of these pillars and outcomes are not well defined. Because of this, value is diluted or lost; the brand of security is affected.
Finally, it became apparent we need to have a resilience plan that incorporates the empathetic response to victims, survivors and the community when we have an ‘‘X’’ event that breaches our best attempts at security. This will need to involve collaboration with internal stakeholders and external advisors. But, a plan must be in place so that needless suffering can be mitigated.
What we all realized is you don’t need a blank canvas to make strides in these areas. Sometimes having a little spilt paint helps start the process that will one day be a work of art.