Information security practitioners face a unique dilemma. Nothing happens when we do our job well. This "negative deliverable" places us in the unenviable position of only being recognized when we fail. It also places information security in jeopardy of landing on the chopping block when other business needs compete for finite human, technical and financial resources.
Retaining or increasing information security resources requires us to quantify the benefits provided to the organization. Business leaders understand metrics. Salespeople are held to revenue targets. Network administrators are held to uptime guarantees. Customer service representatives are held to satisfaction scores. Information security professionals can meet similar, measurable standards. There are four areas that can help quantify information security's contribution to an organization.
1. Audit results
Audit results make an excellent starting point. Many of us are held accountable for periodic formal audits of our information security controls. These security audits are commonly used to assess preparedness and determine measures that may be implemented to increase the effectiveness of our information security operations. For example, an IT audit of an organization prior to the implementation of an information security program might result in eight audit findings directly related to information security issues. If a subsequent audit the following year showed that the dedication of two full-time staffers to the information security effort reduced the number of findings from 25% to 6%, this would be a strong case for increasing the resources dedicated to information security. This also shows how you can use the number and severity of deficiencies found in these audits as a measure of the effectiveness of your information security program. If the program is effective, you should see a declining number of deficiencies over time.
If your department isn't subject to formal external audits, conducting informal internal audits can fulfill the same role. Use tools like Nessus, the Center for Internet Security benchmarks and the Microsoft Baseline Security Analyzer to assess server/workstation preparedness. For example, the security scorecard might track the percentage of workstations that achieve a passing score (determined by organizational standards) against the CIS benchmarks. A low score on this measure shows the need for more attention to workstation security while a high and/or increasing score indicates a successful effort. If you conduct your own audits, you might consider using a security scorecard to track changes in your posture over time. Microsoft offers a sample scorecard that rates an organization's security posture using a five-layer model.
2. Lost productivity
Lost productivity is a measure commonly used in IT organizations to calculate the effectiveness of maintenance programs. One common example of this is the use of server uptime to assess the success of preventative maintenance programs. You can use this same metric to evaluate the amount (of time or money) lost due to information security issues. For example, you might measure the amount of time spent by operational employees dealing with the aftermath of a virus. A successful information security effort should result in a lower total number of hours lost. If your organization already tracks productivity loss for the general IT infrastructure, it should be straightforward to create a subcategory for information security issues and use these figures to track the effectiveness of your efforts over time. If information security issues result in a significant loss of productivity, this would be good evidence for allocating additional resources to the information security effort.
3. User satisfaction
By its very nature, information security is an activity that's heavy on end-user interaction. Therefore, user satisfaction with information security efforts is an excellent metric to use as part of an effectiveness measurement process. Send a short survey to users after they interact with a member of your team asking questions like:
- How satisfied were you with the service you received?
- How effective was the solution?
- What impact did it have on your ability to do your job?
Calculate the satisfaction results to determine the level of service you're providing to the organization. The great thing about surveys is that you can slice and dice the data any way you wish. Breaking out satisfaction scores by service type might enable you to pinpoint a deficiency in a specific service. Lower scores across the enterprise may indicate the need to dedicate more resources to customer service. You can also make these scores an integral part of employee evaluations by sorting the survey results by team member. Managers understand customer satisfaction, and it's easy to point to these results as a measure of a successful program.
4. User awareness
A primary responsibility of information security programs is to raise user awareness of information security issues. A rudimentary training program should minimally educate users on critical issues. Measuring its effectiveness provides the opportunity to ensure that users are getting the relevant information they need to do their jobs safely and effectively. Similar to user satisfaction, it involves reaching out to end-users to ask questions. Send out a survey that assesses awareness of job-specific information security issues and see how your employees score. For example, if you ask the question, "How often should you change your password?" and 75% of users report that they feel passwords don't need to be changed, you may wish to emphasize password changes in your information security awareness program. Similarly, if you ask, "What are appropriate methods for transmitting confidential information to a business partner?" and 50% of employees feel that unencrypted e-mail gets the job done, you have a deficiency that needs correcting. High scores indicate an effective education program. If users consistently make errors in the same areas, you have a deficiency that needs to be addressed.
It's important to conduct these surveys using a random sample of end users. You may wish to use a random number generator to select employees from the company directory. You don't want those who play an active role in the organization's information security program to self-select/participate and bias the results. To get the best cooperation, you may want to tell respondents that the survey is being conducted anonymously across the organization for potentially adding resources to improve security awareness. Avoid making them feel like they're being graded on a test or that their scores will be reported to management. That's a surefire way to drive your participation rate into the ground.
Quantifying the success of information security efforts can lead to additional resources. At the very least, it can help you design measurable information security objectives when budgeting time comes around.
About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. Chapple is a technical editor for Information Security magazine and the author of several information security titles including the "CISSP Prep Guide" and "Information Security Illuminated."