“Risk cannot be measured,” is a common scientific and mathematical phrase often applied to information security. While it’s true some risk measurements are subjective, it’s naive to believe measurements aren’t attainable. Risk is not a number, but a measurement of risk is.
For example, you can measure:
* The percentage of vendors meeting an organization’s standards,
* A percentage level of compliance to regulations, and
* The number of vulnerabilities present in an environment.
It’s critical for credit unions to identify, prioritize, and manage risk. Management and technical staff must jointly define criteria for measuring information security performance. And these measurements should clearly align with business goals and strategies.
When developing measurement criteria, avoid technical, legal, and subject matter jargon. Focus on measuring the services rendered. Clearly define goals, strategies, and measurements. This facilitates open communication, prudent planning, and financial rewards.
Here are common excuses for avoiding risk measurement:
* “Management doesn’t understand.” Information security encompasses technical and physical security issues. Ensuring confidentiality, integrity, and availability requires deep insight into technology, risk modeling, physical security, laws, and regulations. Technical complexities often hinder communication between management and information technology (IT) staff. The challenge for IT staff: Convey complicated information simply and clearly. The challenge for management: Be willing to accept change.
* “Security measurement is for large credit unions only.” Incorporating information security risk measurement into an organization’s processes takes time, persistence, and often a cultural change. People often feel threatened, dislike change, or have social motivations that slow the process. But credit unions of all sizes benefit from risk measurement activities. It may take time, but persistence pays off when the measurements support budget requests and supply valuable return-on-investment data.
* “Security moves too fast.” Technology continues to change at an astounding rate. Many people feel information security measurement can’t keep up with technological change. But the problem actually may be poorly designed measurements. The intent of measurement is to align corporate strategies with IT. Clearly define the organization’s goals and objectives. Then measure information security as it relates to those goals and objectives.
SMART measurements
Prudent decisions require simple, measurable, attainable, repeatable, and timely (SMART) information. Keep information security risk measurements:
* Simple. Each measurement’s objective must be clearly understood by all intended parties. Create a list of key performance indicators. Avoid technical, legal, and other jargon. Avoid data overload and stay focused on specific performance measurements.
* Measurable. While many facets of security and risk are hard to quantify, focus on what can be measured-for example, the number of vulnerabilities or the number of incidents.
* Attainable. Some measurements are direct outputs of existing reports and systems; others may require analysis to derive the value. Make sure your measurement goals are attainable over time, since they must be continually assessed and managed with minimal cost.
* Repeatable. Since you’ll want to show trends to generate useful data, make sure the measurements are easy to take over time and can be repeated.
* Timely. Outdated information can skew analysis and directly impact decisions. The timeliness of data often determines its value. Make sure measurements are easy to deliver as needed. Aim for maximum automation with minimal manual activity. Establish clear communication and access rights at the start.
Your credit union can measure information security performance. Risk models, financial measurements, key performance indicators, and other measurements can help you align information security with organizational goals and strategies.