Review of Information Security and Risk Management Strategy – Complex or Straightforward Exercise?

Posted on June 12th, 2009 by Drazen Drazic

In any strategic planning cycle, performance and strategy re-assessments are a vital component in keeping a strategy effective and up to date.

One way to measure the performance of the Information Security strategy is to develop a set of metrics that include benchmarks across the various phases and sub-phases of the strategy. The goal of the metrics is to help; define the strategy framework, communicate the strategy (by specifying performance measures), track performance (by collecting valuable information pertinent to the phase of strategy), increase accountability (by linking metrics to performance appraisals and business plans) and to align objectives of individuals, teams and the organisation itself.

In most cases this is easier said than done but investigation should still be undertaken into the creation of a metrics and strategy re-assessment process that covers at a minimum (thanks Rayport and Jaworski for the inspiration):

•    Articulation of the Security Strategy.
•    Translating Strategy into Desired Outcomes.
•    Devising Metrics.
•    Linking Metrics to Leading and Lagging Indicators.
•    Calculating Current and Target Performance.

How complex an exercise is this? In recent weeks I have done a couple of presentations to boards and senior management of organisations who are keen to evaluate the effectiveness of their current strategy(s)?

Are exercises like this 12 month+ plus projects ala Big 4 massive undertakings (costing millions) or can an experienced eye provide the same end results in a fraction of the time? Read on.

My audiences were somewhat gobsmacked when I said we could do this work for them in weeks, (not many months or years). Cost in the thousands – not hundreds of thousands or millions! “How good was the last work done by Big company if you’re already looking for it to be done again?”, I asked. This received nods all round. Fair question?

Now let me emphasise that scope is strategy and not finding every single issue to do with security in the organisation. (That is something different). It is totally though comparing apples with apples vs. what they have received before from Big company – work that has led to little advancement in IT Security and Risk Management practices within the organisations.

Bottom line is that such an exercise is not a complex undertaking. Thus it doesn’t need a long and complex explanation. A good starting point and one that has always worked for us is here: The 7 Reasons why Businesses are Insecure.

You can change the title of this to many things and it’s all the same thing; “Why the IT Security and Risk Management Strategy is failing”, “What are we doing wrong with IT Security?” etc etc….

It doesn’t have to be complex because where the strategy fails in most cases is in basic management and governance and associated accountability and ownership of basic process and controls. It is that simple. I’ve never seen an organisation in a “bad” way in regards to IT Security where the CEO (and/or other senior management) is supportive, is a key stakeholder in all strategy initiatives and is actively involved to ensure the strategy is on track. That says it all in 95%+ of cases.

Do I need to expand further as to why a strategy review to find what is failing and why and what needs to be “fixed up” only need take a short time? Hey, to be honest, in most cases, 95%+ of the report is done in our heads within 15 minutes of starting the conversation/interview with the CEO (and or senior management). The rest of the time is spent confirming we have that 95%+ correct and finding any surprises – and generally we don’t.

“Argh….you’re simplifying this too much Draz”, you might be saying. From my experience, I’m not. Have a think about it and have a good think about it before you do engage someone who tells you it will take 6 months or more to review your corporate IT Security and Risk Management strategy. :)

10 Responses to “Review of Information Security and Risk Management Strategy – Complex or Straightforward Exercise?”

  1. 14theages Says:
    June 12th, 2009 at 10:09 pm

    Lock this one up as *the* standard for all that are about to hire a consultant. They all need to read this! THANK YOU! I will be linking this in my emails to my manager.

  2. ATO Says:
    June 12th, 2009 at 10:31 pm

    The ATO did this and then it failed and then we hired the same consultants back again to tell us why it failed. Work that out! Happy partners at PWC! They are LOL. Do they care? LOL!

  3. yanfosec Says:
    June 13th, 2009 at 12:25 am

    Information security strategy does not always equal good security, just as good security never happens without a strategy. Hiring a huge firm to borrow your watch only to tell you what time it is should not be the norm, and will seldom produce desired results. However, there is definitely some value in soliciting advice from someone who is not burdened by your every-day grind.

    Looking at the company strategy can be done in 6 months, 6 weeks, 6 days, and 6 hours. In understanding what’s actually required, I would focus more on methodology and less on how long it takes, and how much it is.

  4. D3 Says:
    June 13th, 2009 at 1:20 am

    Seems a consensus on what we know. Can someone point the business and government people to read this. All countries included.

  5. Drazen Drazic Says:
    June 14th, 2009 at 5:07 pm

    Thanks to Donal from http://www.nodecity.com/ for this one:
    http://www.youtube.com/watch?v=UtYzoQOKUac

    Just viewing it now. Related, yes.

  6. Drazen Drazic Says:
    June 14th, 2009 at 5:23 pm

    Responds to self after viewing:

    I looked at the Balanced Scorecard years ago from Kaplan and Norton but thought it lacked in areas that you then needed to make assumptions….too many gaps.

    I chose the “performance dashboard” as the basis for strategy review – it had more to it. (Rayport and Jaworski). Mixed that up a bit with my stuff and got to where I am. The only thing holding it back to a large degree is that you need to have a decent strategy in place firstly to review how good it is. :) Seriously – think about that. If there’s little to nothing there or it’s just bad, “fancy” metrics and ways at looking at things are a big waste of time.

  7. V3ndor Says:
    June 20th, 2009 at 1:25 pm

    Makes logical sense and once again, complexity need not be the prerequisite for something to be right.

    Some big companies have made some big dollars and have left many clients with little to show for the investment.

    I know that it has to work both ways but results are what we judge things upon. Good points, well thought out and one of the better approaches I have seen.

    V

  8. geexr Says:
    September 7th, 2009 at 10:16 pm

    How well is your strategy aligned with your corporate strategy?

    Surely the success of the organsation will ensure the success of the security strategy.

    Sure measure and mark, get out the charts – if you really feel the need to. I have found an effective governance framework to be work better in some situations. Other situations, I have found charts to be better.

    Alignment is the key to all business locks; without it, you have nothing. So make sure that whatever you do is aligned with where the business is going; or get off the bus.

  9. Drazen Drazic Says:
    September 8th, 2009 at 9:38 am

    @geexr,

    The last line here is meant to cover this and in other posts, essays, I probably state that more clearly but yes, that is the goal of course also.

    “…….. and to align objectives of individuals, teams and the organisation itself.”

    No, the success the of the organisation will not necessarily “ensure the success of the security strategy”. Why do you believe this would be the case? It’s not what we see out there.

    The Governance stuff is key as mentioned here:
    http://beastorbuddha.com/2007/11/10/the-7-reasons-why-businesses-are-insecure/

    Charts and pretty pictures…yeah but who for and when? They’re great if there’s substance to what is being done and some actual achievements but charting month after month of “nothing”, well back to the drawing board – what is it you want to achieve? How are you “charting” progress and/or success in a strategy?

    Close alignment is just as key with IT and Infosec as with any other component of a business. I agree there. Maybe you should expand on a few of the initial points. Might be a more interesting discussion. Thanks geexr.

    DD

  10. geexr Says:
    September 14th, 2009 at 2:38 pm

    I guess the general theme to my response lies in the ‘different horse for different courses’ idea.
    I have worked with a number of organisations, across a number of industries, where the programme(s) have all taken on a different inertia of their own.

    The underlying success factor, to an effective programme, being the alignment of the programme(s) with the business goals.

    I like the seven (7) security management plan – it makes perfect sense to a security professional; so how do we convince those ‘non-believers’ that we need to do it?

    1. Common communication;
    2. Business aligned enterprise risk management;
    3. Effective decision making framework (a.k.a governance);
    and
    4. Appropriate measurement.

    In sum; business aligned security/assurance/risk strategy(s).

    I hope that clears it up.

    :)

Leave a Reply