| "Risk cannot be measured," is a common scientific | | | | valuable return-on-investment data. |
| and mathematical phrase often applied to information | | | | * "Security moves too fast." Technology continues to |
| security. While it's true some risk measurements are | | | | change at an astounding rate. Many people feel |
| subjective, it's naive to believe measurements aren't | | | | information security measurement can't keep up with |
| attainable. Risk is not a number, but a measurement | | | | technological change. But the problem actually may be |
| of risk is. | | | | poorly designed measurements. The intent of |
| For example, you can measure: | | | | measurement is to align corporate strategies with IT. |
| * The percentage of vendors meeting an | | | | Clearly define the organization's goals and objectives. |
| organization's standards, | | | | Then measure information security as it relates to |
| * A percentage level of compliance to regulations, | | | | those goals and objectives. |
| and | | | | SMART measurements |
| * The number of vulnerabilities present in an | | | | Prudent decisions require simple, measurable, |
| environment. | | | | attainable, repeatable, and timely (SMART) |
| It's critical for credit unions to identify, prioritize, and | | | | information. Keep information security risk |
| manage risk. Management and technical staff must | | | | measurements: |
| jointly define criteria for measuring information | | | | * Simple. Each measurement's objective must be |
| security performance. And these measurements | | | | clearly understood by all intended parties. Create a list |
| should clearly align with business goals and strategies. | | | | of key performance indicators. Avoid technical, legal, |
| When developing measurement criteria, avoid | | | | and other jargon. Avoid data overload and stay |
| technical, legal, and subject matter jargon. Focus on | | | | focused on specific performance measurements. |
| measuring the services rendered. Clearly define goals, | | | | * Measurable. While many facets of security and risk |
| strategies, and measurements. This facilitates open | | | | are hard to quantify, focus on what can be |
| communication, prudent planning, and financial | | | | measured-for example, the number of vulnerabilities |
| rewards. | | | | or the number of incidents. |
| Here are common excuses for avoiding risk | | | | * Attainable. Some measurements are direct outputs |
| measurement: | | | | of existing reports and systems; others may require |
| * "Management doesn't understand." Information | | | | analysis to derive the value. Make sure your |
| security encompasses technical and physical security | | | | measurement goals are attainable over time, since |
| issues. Ensuring confidentiality, integrity, and availability | | | | they must be continually assessed and managed with |
| requires deep insight into technology, risk modeling, | | | | minimal cost. |
| physical security, laws, and regulations. Technical | | | | * Repeatable. Since you'll want to show trends to |
| complexities often hinder communication between | | | | generate useful data, make sure the measurements |
| management and information technology (IT) staff. | | | | are easy to take over time and can be repeated. |
| The challenge for IT staff: Convey complicated | | | | * Timely. Outdated information can skew analysis and |
| information simply and clearly. The challenge for | | | | directly impact decisions. The timeliness of data often |
| management: Be willing to accept change. | | | | determines its value. Make sure measurements are |
| * "Security measurement is for large credit unions | | | | easy to deliver as needed. Aim for maximum |
| only." Incorporating information security risk | | | | automation with minimal manual activity. Establish clear |
| measurement into an organization's processes takes | | | | communication and access rights at the start. |
| time, persistence, and often a cultural change. People | | | | Your credit union can measure information security |
| often feel threatened, dislike change, or have social | | | | performance. Risk models, financial measurements, |
| motivations that slow the process. But credit unions | | | | key performance indicators, and other measurements |
| of all sizes benefit from risk measurement activities. | | | | can help you align information security with |
| It may take time, but persistence pays off when the | | | | organizational goals and strategies. |
| measurements support budget requests and supply | | | | |