Peter Drucker is famous for saying that you can only manage
what you can measure. Nice thought but, by itself, not much help in terms of
practical advice to the cyber security leader.
So how do we mentor showing progress?
In cyber, there are no shortage of things to measure. You’ll
also find no shortage of tools that will appear to measure things as part of
the license that you’ve purchased.
You’ll want to be able to measure progress. Progress means
measurements that should answer three principal questions:
Where are we currently on some scale?
How far have we come?
How much do we have left before arriving at some point
deemed to be success?
The first question requires some unit of measurement. You
can’t have a scale without some units of measurements. Maturity line items
completed? Maturity score? Coverage of some tool? Percentage of code as governance?
There are tons of options that you can use. What
there aren’t tons of options for is the agreement by the executives on the
units of measure. This may require some explanation of options for a decision
but you’ll need this agreement. Agreement with units of measure means you’ll be
aligned with executives for how you’ll measure.
The second question means ensuring that the correct
instrumentation is in place to measure using the agreed-upon units of
measurement. A key point often missed is that you need to define your starting
point before making improvements. This will clearly indicate how far you’ve
come at any future point. It’s also a good way to circle around with executives
in the future to show the continuing return on their investment. I also like to have an outside organization do
the evaluation if there is any chance of over-scoring or to validate any
self-scoring that our team does.
The third question requires a definition of the spectrum of success.
What scoring is poor? Good? Successful? Again,
there are a ton of choices that you’ll probably need to research: industry
average, best of breed comparison, etc. You’ll need to be able to show your work as to
why your definition of success isn’t just an arbitrary measure. Also, remember
that “successful” and “done” are usually very different level of success and
some measures may never have a “done”. The work behind what you chose for “success”
and whether done is “achievable” should also be part of the agreement and
expectation setting with your execs.
Notice how few of the above questions are related to tools. While tools
may be helpful for input data depending on the measurements, they rarely will
give executives what they need to really internalize the progress of your cyber
security program in a single view or just a few different views.
Agreement on your units of measurement and what success looks like are two elements of what will likely make your approach different from other cyber leaders that don't get the results they seek from executives.
Agreement on your units of measurement and what success looks like are two elements of what will likely make your approach different from other cyber leaders that don't get the results they seek from executives.
Not making progress? That's not a bad thing if you can demonstrate the levers that need to be pulled to make progress. The measures can show the work for demontsrating additional resources or changes in approach.
Regardless of where your current progress is, your measurements can increase the support from execs if you
design them correctly.
Perhaps it’s time for a relook if you feel unsupported.
Like what you've read
enough to follow me on Twitter? @Opinionatedsec1.
SEE ALSO
No comments:
Post a Comment