The risk is measurable
“Risk cannot be measured” is a common scientific and mathematical phrase that is often applied to information security. While it is true that some measures of risk are subjective, it is naive to believe that the measures are not achievable. Risk is not a number, but it is a measure of risk.
For example, you can measure:
* The percentage of suppliers that meet the standards of an organization,
* A percentage level of compliance with regulations, and
* The number of vulnerabilities present in an environment.
It is essential for credit unions to identify, prioritize and manage risk. Management and technical staff should jointly define criteria to measure information security performance. And these measures must be clearly aligned with business objectives and strategies.
When developing metrics, avoid technical, legal, and subject jargon. Focus on measuring the services provided. Clearly define goals, strategies and measures. This facilitates open communication, prudent planning, and financial rewards.
Here are some common excuses to avoid risk measurement:
* “Management does not understand.” Information security encompasses technical and physical security issues. Ensuring confidentiality, integrity, and availability requires a thorough understanding of technology, risk modeling, physical security, laws, and regulations. Technical complexities often make communication difficult between information technology (IT) and management personnel. The challenge for IT staff: convey complicated information simply and clearly. The challenge for management: be willing to accept change.
* “The security measure is only for large credit unions.” Incorporating information security risk measurement into an organization’s processes takes time, persistence, and often a cultural shift. People often feel threatened, do not like change, or have social motivations that slow down the process. But credit unions of all sizes benefit from risk measurement activities. It may take time, but persistence pays off when metrics support requests for quotes and provide valuable ROI data.
* “Security is moving too fast.” Technology continues to change at an astonishing rate. Many people feel that information security measurement cannot keep up with technological changes. But in reality, the problem may be that the measures are poorly designed. The intention of the measurement is to align corporate strategies with those of IT. Clearly define the goals and objectives of the organization. Then measure information security against those goals and objectives.
SMART measures
Prudent decisions require simple, measurable, achievable, repeatable and timely information (SMART). Maintain information security risk measures:
* Simple. All stakeholders must clearly understand the purpose of each measurement. Create a list of key performance indicators. Avoid technical, legal and other jargon. Avoid data overload and stay focused on specific performance measures.
* Measurable. While many facets of security and risk are difficult to quantify, focus on what can be measured, for example, the number of vulnerabilities or the number of incidents.
* Achievable. Some measurements are direct outputs of existing systems and reports; others may require analysis to derive the value. Make sure your measurement goals are achievable over time, as they need to be continually evaluated and managed at minimal cost.
* Repeatable. Since you will want to show trends to generate useful data, make sure that measurements are easy to take over time and can be repeated.
* Timely. Outdated information can skew analysis and directly affect decisions. The timeliness of the data often determines its value. Make sure measurements are easy to deliver as needed. Aim for maximum automation with minimal manual activity. Establish clear communication and access rights up front.
Your credit union can measure information security performance. Risk models, financial metrics, key performance indicators, and other metrics can help you align information security with your organization’s goals and strategies.
