As a kid, I hated report cards. I wasn't a good high school student for all the obvious reasons--it was the '80s. I didn't take my studies seriously until college. I was paying tuition myself, and, since the money was coming out of my pocket, I figured that I'd better hit the books. Graduating cum laude validated my effort.
In the corporate world, grades take the form of performance numbers. No division EVP or department manager wants to face PowerPoint slides showing them at the bottom of the revenue pack. Perform well, your career skyrockets; perform poorly, and your career flounders.
Even if senior executives don't keep score, managers use performance numbers to benchmark themselves against their peers, set goals, devise plans and advance by showing improvements in their grade.
And this is precisely what happened when Preston Wood, CISO at Zions Bancorporation, started publishing department vulnerability scans and remediation times. Security, network and department managers raced to understand the numbers and what it would take to improve them. Security wasn't their concern; it was all about their careers.
"No one wanted to have the highest score, and would look for help in lowering their score," Wood says.
The principle is what Gartner's John Pescatore calls "motivation by embarrassment." Measure how managers respond to security threats, processes, policies and incidents, and you'll get their attention. No one wants a black mark on their permanent record, especially when the golden boy who gets promoted every year has an "A" for security on his report card.
But embarrassment isn't enough. Grades must be backed up with incentives for improvement and consequences for failure.
The federal government is the perfect example of how a toothless report card has little impact. FISMA requires federal agencies to report the status of security compliance efforts, which Congress uses for a security report card. The results have been consistently pitiful. While the overall score improved 2.5 points this year, the average agency grade was still a "D+." And many federal agencies actually saw their grades slip from the previous year.
Part of the reason: a lack of incentives. The government is only requiring the agencies to file paperwork on their security, but is not rewarding them or holding them responsible for it. Security funding doesn't increase when the grades go up, and no one is getting fired for poor grades.
Grades can be used as a motivator for yourself and your senior management; they're a perfect tool for justifying security spending. Security is often a challenge of proving a negative: Give me $1 million, and you'll see nothing happen. A report card can show how a security investment translates into better grades, and continuous improvement is something of particular importance under the Sarbanes-Oxley Act.
The danger in using report cards and other measures is the same as I faced in college: studying for the test, not for the knowledge.
As many enterprises are discovering with SOX and HIPAA, compliance doesn't mean you're secure. A good grade only means that you did what you were supposed to do to get the grade. The challenge for security practitioners is harnessing that grade motivation to exceed expectation and graduate with honors.