Current State
Teams in security often struggle with tracking the effectiveness of the programs / services / controls that they operate. It is quite common to see measures, metrics and indicators that have no correlation with company / department goals and objectives. This lack of understanding typically leads to:
- A large amount of measures / metrics that simple generate noise;
- A lack of clear action / outcome required in response to findings;
- Ineffective application of resources to monitor and produce reporting;
- A lack of quantifiable evidence showing the Return on Investment (ROI) of programs and initiatives.
This article is intended to provide you with a foundation of how you can track progress towards or achievement of your goals. The principles discussed here are not security specific but will provide a useful grounding for follow up articles that will specifically focus on tracking performance across different security domains.
The first place to start is through understanding the goal/s of your company. For security goals to be effective they need to align with the wider business goals and risk appetite. This will help to ensure you are progressing in the intended direction of travel.
Goals
Identify your goals
These are an observable and measurable result (desired state) requiring one or more objectives to be achieved often within a defined timeframe.
A goal tends to be long on direction, and short on specific tactics. A goal is the following:
- Defines the destination;
- Changes the direction to move toward the destination;
- Changes the mindset to adjust to and support the new direction;
- Creates the necessity to develop specific tactics.
Change is constant. Expect your goals to change with time and be prepared to add, update or remove corresponding objectives.
Set objectives (action plans) to achieve your goals
Objectives set a specific result that a person or system aims to achieve within a timeframe and given available resources. Objectives are about tactics. Tactics are action plans to get from where you are to where you want to be.
A goal defines direction to the destination, but the road to get there is accomplished through a series of objectives.
Determine the risks to achieving your objectives
Risk is the effect of uncertainty on objectives. Identify what risks exist that could stop you from achieving your objectives. For any risks that are outside of the company risk appetite identify suitable risk response actions and incorporate required actions into your objective action plans.
Evaluate the relevance of your goals using S.M.A.R.T.E.R goal setting
There are 7 steps you need to follow to ensure your goals remain effective.
- Is your goal Specific?
- Can you Measure progress towards that goal?
- Is the goal realistically Attainable?
- How Relevant is the goal to your organisation?
- What is the Timeframe for achieving this goal?
- Evaluate your goal and determine its relevance to your business?
- Revisit your goals to assess the outcome (success or fail).
Be clear about what it is you are trying to achieve and set realistic time-frames to work towards. Avoid setting goals that you are unlikely to be able to achieve. This is a particular issue where you have a dependency on others who are outside of your circle of influence.
Examples
| Goals | Achieve a secure build standard for infrastructure and system assets | Achieve secure infrastructure and system assets |
|---|---|---|
| Objectives |
|
|
| Risks | An external attack leads to unavailability of infrastructure / systems. | An external attack compromises the integrity of company data. |
Desired State
Goals set the destination and direction of travel to transform your program from its current state to a desired state. Objectives are the action plans that determine how your goals are going to be achieved.
Use of S.M.A.R.T or S.M.A.R.T.E.R goal setting supports the identification and maintenance of relevant goals. Its important to reevaluate your goals and objectives to ensure they remain relevant in progressing towards the desired state..