Business ebbs and flows in most industries and unless you are demonstrating true value it is hard to respond positively when management must make hard decisions. If technology services are not demonstrating value – i.e, they are not in alignment with what the business needs or there is waste throughout the system perhaps a healthy dose of self evaluation is in order. To that point I want to elaborate on an INC. magazine article I contributed entitled, “Instituting Security Metrics” by Lora Shinn.
There are two lines of thought I want to explore, the first is how Security Metrics *can* enhance the value of the technology environment and the other is how they can save the business.
Security Metrics are any measure of the organization’s efforts to safeguard the assets of the corporation. These may be sensitive information databases, actual hardware devices, the staff, or any number of categories depending on your business. It is important to recognize that these are “a part of” a greater measurement effort within your business. It is 100% certain that your business is currently calculating ROI, ROA, ROE, and hundreds of other metrics relating to finance, employee turnover, customer satisfaction, competitive industry scorecards, and even compensation baselines. These existing performance, governance, and business metrics can provide the technology group with a sufficient methodology and format when preparing similar security metrics.
In order to enhance value to an organization, technologists must be able to:
- Justify the technology deployed
- Identify important assets within the architecture
- Measure what the business requires of these assets.
Only at this point can action be taken. The “action” referred to here may include decommissioning unnecessary hardware, eliminating specific redundant architectures, insourcing or outsourcing specific functions, or transforming the operations to a fully distributed platform.
The end result is a technology services group that achieves optimal balance between mission and cost thereby providing meaningful impacts to both the top and bottom line of the financial statements.
Saving the Business:
Loss of sensitive data, downtime due to forensic / virii, government and industry partner fines, loss of customers, and loss of confidence with business partners are the results of security failing. Security metrics must consider the inputs into these risks for the business and appropriately mitigate each as necessary. In future postings and in a recent research briefing I will elaborate on these important points.
Check out the article here, and please post your comments on how you feel security metrics should be positioned, and which are your favorite?