Is there any conceivable reason why should not run your security operation like you run your core business?
The sales people in your firm have sales quotas and are measured by gross profit margin and collections. The people who run manufacturing and distribution have quotas for manufacturing throughput and inventory cycle times.
So why shouldn’t your CSO, CIO, information security staffers, network managers and software developers have measurable quotas and compensation for meeting or exceeding their information security numbers?
If you don’t currently measure and report internally your security performance (unlike companies such as Intel and Motorola that have a strong metrics culture, and measure everything), you should consider managing your security operation like you manage a business unit and adopting a tightly focussed strategy on customers, market and competitors.
Without well-defined, standard, vendor-neutral threat models and performance metrics. there cannot be improvement; and continuous improvement is what customers want and have come to expect. Consider that we all expect that after the iPhone 4 comes the iPhone 5 and we should be expecting that after better data security comes reduced cost of data security.
A business lives on it’s information assets. Whether you’re a contractor digging ditches for a cable provider or if you’re the cable provider CEO, you live on information. Key company assets (such as customer records) are digital and live in a PC, a Windows server, a Linux server or mainframe; the paper is a “hard-copy” not the original.
Your firm manages fixed assets and produces 10Q reports if publicly traded, but do you identify and valuate digital assets that are key to the operation? Can you calculate ROI for digital asset protection technology or prove compliance with Sarbanes Oxley 906 without measuring the value of your key operational digital assets ?
Choose a business strategy for information security. Information security today works on a cycle of reaction and acquisition. You have a data breach event or an outbreak of a worm in your network – you react by acquiring products and services.
Information security needs to operate continuously and proactively within a well-defined, standards-based threat model that can be benchmarked against the best players in your industry just like companies benchmark earnings per share.
In his classic article, “What is strategy?” Michael Porter writes how “the essence of strategy is what not to choose…a strong competive position requires clear tradeoffs and choices and a system of interlocking business activites that fit well and sustain the business”. Security of your business information also requires a strategy.
Measure in order to manage, improve and comply There are widely accepted and practiced revenue models, costing models and performance metrics that work for all kinds of business units. To cost a product or service, we see that a distribution business uses mark up margins, a manufacturing unit uses bill of material costing and a professional services unit uses standard and activity costing. If you want to evaluate cash flow, just look at cash flow from operations. or free cash flow (FCF) – simply cash from operations, minus capital expenditures. True, FCF omits the cost of debt but you have an objective indicator to go by that can be measured every week, every quarter, every month of the year.
Several years ago, a major supermarket chain in Israel lost $5M in sales in one month, because their purchase prices of fresh produce were leaked to a competitor by an employee using instant messaging. The firm reacted with locked doors and cameras, but locked doors and cameras can’t audit information flows and provide data security performance metrics that will help them prevent the next leak of sensitive information.
Test your information security business strategy IQ
- Is your data security spending driven by compliance regulation?
- Are Gartner Group white papers a key input for your information security purchasing decisions ?
- Are you running without data security win/loss metrics?
- Do you have separate physical and data security teams reporting to different managers?
- Is your data security purchasing cycle over 2 years?
- Are you short on head count, and using that as an excuse for not implementing data security technologies?
- Are you a CTO and you never personally sold or installed one of your company’s products?
If you answered YES to 4 out of 7 questions, you need a business strategy with operational metrics for your information security operation.
Take action to protect your assets like you run your business
- Setup indicators and publish them once a week on the company Intranet for everyone to see. Start with 3 indicators: the number of network anomalies your IDS found that week, your current patch cycle time and how much overtime your security staff worked that week.
- Do continuous security audits. Purchase a tool for network audit and run it once a week on a different part of the network. The guys over in the warehouse stopped doing full physical counts once a year 15 years ago, they count a little bit of inventory every day with hand-held barcode terminals. Get a consultant to help you set it up and run it yourself.
- Make the number of overtime hours your network security staff works a key monthly indicator
- Build a threat model and maintain database of your key assets, threats and vulnerabilities and start using practical threat analysis today.
- Define your competitive strategy for security operations. Is it low cost? Is it single vendor? Is it Linux desktops? Is it end-point security focus?
- Implement a consistent set of activities, for example standardizing on diskless thin clients, remote desktops and Windows Terminal services.
- Think how activities can reinforce each other – for example by installing personal firewall software that reports on intrusion attempts to a central server so that you can plan your response to future attacks.
- Identify sets of activites that optimize your efforts. Perhaps you have a totally flat network with a spagetthi plate of servers and workstations today. Segment the network into VLAN’s, put the application servers on one segment, the data servers on another and client workstations on departmental segments and so forth. Performance and security will improve and you’ll be able to monitor content effectively. You’ll spend less time firefighting and more time thinking.
- Install your company’s products yourself. After you do that, follow a customer home and watch how they do the install, time it and take notes. Update the threat model with your findings.
For more perspective on competitive strategy see Michael Porter’s article What is Strategy at the Harvard Business Review online edition.