Defense In Depth Podcast: Measuring the Success of Your Security Program

How does a CISO measure the performance of their security program? Sure, there are metrics, but what are you measuring against? Is it a framework or the quality of protection? How do you tell if your program is improving and growing?

Our founder and CEO, Chad Boeckmann is a guest! We have been pleased to sponsor the October episodes of the podcast!

On this episode of Defense in Depth, you’ll learn:

  • The process is very systematic. Start with knowing your risks, how you’re going to track them, and the controls you’re going to put them in place to manage them. Simple to say, hard to do.
  • Security risk is just one of a multitude risks a business faces.
  • Data’s whereabouts is a moving target. Having confidence in its location and protections is key to managing overall risk.
  • Constantly be asking who has access to the data and what communications processes are you using to share that information between humans and machines.
  • Discuss with leadership as to how you will judge success and what metrics you will use. C-suite will need to lead the discussion with security providing guidance as to what they can and can’t measure.
  • If you’re measuring security’s performance this is a great opportunity for security to tell its story and prove its value, ultimately setting it up for increased budget and participation from others.
  • An informal metric for success could be how often is security getting invited to informal meetings.
  • Overall positive sentiment of security by non-security employees.
  • How well are you able to build (are people eager to work with you?) and maintain your staff?
  • Another “out of the box” metric to consider are opportunity costs. How many contracts are you losing because you were incapable of meeting a potential customer’s security standards?
  • Strong debate as to what is the goal of a security program: Risk reduction or risk management? It’s very possible that you are currently managing risk well and the additional cost to reduce risk is not necessary.