Getting Started

Analyzing other dimensions about your security program tells you things that just looking at effectiveness alone does not. Don't get me wrong -- effectiveness is a good starting point. If you don't understand whether your countermeasures are appropriate and working well, you've got some fairly sizable fish to fry.

However, if you want to take the next step and ensure that you're a responsible steward of your organization's resources, then stopping there just doesn't cut it. Why? Because governance, at its core, is about making the best use of resources to advance the organization's mission optimally. How can you do that if you don't understand the efficiency, resilience or maturity of the security measures you have in place?

The question for security executives therefore becomes how you can understand other dimensions of security systematically and holistically. There are a few ways to get started. One approach starts with an objective stock-taking of countermeasures according to an economic or maturity point of view.

Maturity is straightforward -- systematically work through and evaluate critically how each security mechanism you have in place stacks up along the maturity spectrum. The important part is to be as objective as possible; if you are challenged in being objective, maybe bring in an unbiased third party, such as an audit firm or security consultant, to help with this evaluation.

An economic viewpoint is a bit more involved, but still not rocket science. Start by understanding what it costs on an annual basis to operate the countermeasures you have in place, both in soft costs (such as staff time and human-power) and in hard dollars (costs like licensing costs for software, or maintenance costs paid to vendors or service providers).

It's important that you not try to boil the ocean at first. Even if your financial calculation model isn't perfect, scale is more important than pinpoint accuracy out of the gate. Why? Because each mechanism you can understand in this way allows you to evaluate security mechanisms relative to each other.

The more you can evaluate, the more inefficiencies you can find, which will result in better decisions about future investments. Keep in mind that you can improve the accuracy of your models down the road as you start to see the benefits of taking this type of approach.