Cyber Security is becoming one of the most alarming needs of any organization. Growing number of data breaches leaves one to think, “Are we investing sufficiently in IT Security Program?”, “Are we safeguarded against the upcoming threats?”, “What are the industry standards?”, “is the policy Acceptable across the firm?”, The answer to all these questions lay in evaluating the effectiveness of organization’s IT Security Program. Below are a few pointers that aid this evaluation:
Assess the State of Security
The ultimate goal of measuring Security Program’s effectiveness is to enable decision-making. So, the right security metrics should be used to evaluate the organization’s current cybersecurity posture and the posture's alignment with business and customer needs. Also, security metrics should successfully associate effort with results. For example, if you mitigate a risk or offer additional training, what is its effect on the number of incidents and severity of breach events?
Choose the right tools - There are four common tools that each CSO/CISO can use to demonstrate the added value of a security program:
1. Security balanced scorecard
2. Risk management
3. Maturity modeling
4. Diagnostic (or goal-question-metric) method
- Prepare Checklist - CISOs need to ensure they have not missed out on a core control or function. Preparing a checklist avoids omissions and oversight. Further, this checklist should identify additional opportunities to enable, accelerate, or add business value. This step gives the prospect of creating a new security initiative or implementing a new technology, that will both support and protect business interests.
Identify gaps and develop remediation plans
Regular internal and external assessments (health checks, penetration testing, etc.) of vulnerabilities should be conducted to identify cybersecurity control gaps appropriate for the industry. For example, internal audit should evaluate InfoSec program effectiveness as part of their quarterly reviews. Once the gaps have been identified, appropriate remediation plans should be developed and managed as per the organization’s risk appetite.
Set Realistic Targets and present views important to stakeholders
Understanding what information matters the most to stakeholders is the key. CISOs should set realistic targets and be able to demonstrate growth and improvement achieved by meeting these targets. Further, these results, including return on security investment; updates, benefits and contributions of information security should be effectively communicated to the senior management. Preparing Dashboard views helps in demonstrating that improvement is driven towards an agreed upon goal.
Establish Cyber Risk Policy/Framework
Organization’s risk appetite should be clearly defined and inherent cyber risks should be incorporated into existing governance processes. An enterprise-wide cyber risk policy should be developed and put into place. This policy should also clearly highlight the roles and responsibilities of professionals involved in the risk space. KPIs and KRIs should be defined and benchmarked time and again.
In the end, results are what truly matter to an organization. Protecting your organization from hackers, cyber criminals, and malicious employees/insiders is dependent on an effective security program. It is important to understand that the security program has business-wide implications and so, business processes need to be scrutinized with great care.
Executing IT Security Program is not the tough part, evaluating its effectiveness is !
Authored By - Vikram Taneja
TCS Enterprise Security and Risk Management
Rate this article: