What is a good security compliance program? How do you measure the performance? How do you communicate and work with the senior leadership of your company the current state of operations and the future? A single approach to this would be to compare yourself against your peers. (Defining your peers is dependent upon each individual product and service. To often businesses classify their industry based on the business as a whole and lose sensitivity to the context of the individual service and product line.) More specifically when analyzing the security compliance program, specific areas and metrics can be considered (the specific competitiveness and leading indicators of your security compliance program must cover additional areas).
To consider the state of your security compliance program compared to your peers, the following points should be considered and tracked at the executive leadership level:
- How do you compare to your competitors? This statement alone requires that the leadership team of the security compliance program has these defined explicitly
- In the market place what deals have you won or lost, to whom, and what product / services were involved?
- What is the customer attrition – by customer type; rationale?
- What is the amount of queries being submitted to sales, engineers, customer support, and executives regarding security compliance to the business?
An analysis of these four points within the context of security compliance will clarify any areas where the program is negatively and positively effecting the market strength of the product and services for the business.
Thoughts and expansions?