As part of my ongoing journey of seeking good practices for security metrics, I thought I’d pass on a few tidbits I picked up during a discussion the other day. I was in a session with someone who provides security consulting, picking his brain for what is working as he helps organizations translate security into something meaningful to the business.
Here is my paraphrased version of the observations he shared.
- Steer clear of the jargon and avoid security geek-speak. In his experience, “Nobody cares about the technical jargon – they care that you know the technical jargon, they just don’t want to hear it.”
- Use objective data. Your opinions and feelings are just fine, but when it comes to conveying effectiveness, your feelings and opinions are never as good as objective data. Even if you abstract things to a letter grade; a color such as red or green; or a happy/sad indicator make sure that your methods are repeatable, and the data that feed your indicators are as objective as possible.
- Force people to take a stand. When evaluating status or asking people to rate something, don’t provide an odd number of status choices. Why? Too many people will pick the middle one. Instead of [red | yellow | green], use [red | green]. Instead of a 1-5 scale, go with a 1-4 (good, OK, kind of bad, really bad).
- Create competition. I’ve talked about this one before – create some tension in the system by comparing one team to another. Nobody wants to be at the bottom of any stack rank, so creating competition can drive improvement.
- Allow for a lack of perfection. Don’t set your target at 100%- perfection is unrealistic in the real world, and expensive to pursue. Instead, use your objective data and your understanding of your business’s risk to drive the discussion around what’s best for your business. After all, if you’re over-investing compared to your risk exposure, “doing less” may be the right thing for your business.
As always, I’d love to hear from you. If you have good practices to contribute to the discussion, please share! You can leave a comment below, respond on your own blog, or send me an email if you’re shy. Likewise, if you try any of these techniques and have a field report on how well they worked, let me know.