What gets measured gets done
We think you know the problem. You have set a clear security policy, described your strategy in detail, and even outlined what good looks like and who is responsible for what. Yet somehow targets are still not being met consistently, if at all. Simply put, the fundamental problem is about measurement. Without measurement, things do not get done. And without continual measurement, cascaded appropriately throughout the organization, things do not get done consistently. But managing security levels is hard. So is putting metrics in place. Why?
In our experience, measurement approaches are often not clearly or completely designed or communicated: (How are security results calculated? Is everyone using the same definition? How are they cascaded so that they are relevant at all levels in the organization? And who needs to know?)
Worse still, measures at the wrong level do not provide insight into what needs to be adjusted lower down in the organization to drive the right result. What is needed is what we call business context. If people understand why something must be done, what must be done, who can help do it, and how it must be done, it is more likely that targets will be met. And if it is being measured, it gets done.
'75 percent of respondents say metrics are 'important' or 'very important'to a risk-based security program.'
Ponemon Institute 2013 'The State of Risk-Based Security Management'