With cyber attacks on the increase, companies are facing an urgent need to implement a real strategy setting out targets for security performance. Although management may be concerned about the complexity of implementing such measures, companies need to look beyond preconceived notions in order to fully grasp the relevance of this type of strategy over the long term. The concept is not widely implemented as yet, but it will (soon) become unavoidable.
Although security performance is a term frequently used following an attack or an incident, it remains a concept that is largely unfamiliar to many companies. It is more widely known in large organisations, which tend to adopt more advanced security strategies, reflecting their status and influence. Given the growing number of attacks and the changes in rules and legislation aimed at tightening business security, this situation cannot last. While the process of change is already under way in the English-speaking world, with the USA passing the Sarbanes-Oxley Act in 2002, countries such as France still need time to adapt, often for cultural reasons.
For the moment, the concept of security is often in contradiction with strategic company objectives. Security performance measures the security level of a company from three main standpoints: service performance, financial performance associated with the concept of ROI, and performance in relation to the company’s goals and challenges. In other words, a security performance strategy needs to reflect the company’s structure and culture. Using a range of indicators, it maximises overall security and contributes to the smooth running of business activities. In view of its complexity, it must be decided and approved by general management, prior to implementation by the IS department in liaison with the CISO. For maximum efficiency, the indicators must closely reflect the company and its sector.
Abandoning a short-term approach in order to obtain real results
For most companies, their security strategy still primarily involves taking action after the event, particularly in the case of cyber attacks. They react to events rather than anticipating them, and this makes them more vulnerable to future attacks. A configuration of this type generally involves highly mobile indicators that are difficult to weight as part of an effective security performance strategy. While the aim is not to censure organisations that are not yet taking a long-term approach, taking a different approach to security will be essential in order to avoid the huge cost to business of cyber attacks and incidents. In this way, implementing an approach that is weighted by the costs of ISS functions and their return on investment will serve not only to help management achieve its goals, but also to manage the contributions and constraints of SSI functions.
Naturally, zero risk does not exist. Nevertheless, it would be in the best interest of companies to allocate a budget to developing a strong and sustainable security performance strategy. Indicators would then become more stable, illustrating real trends that are useful for analysis and the fine-tuning of the security strategy. The aim here is not to present this approach as a fix-all, but rather to point the way forward, even if a short-term approach has a number of advantages. This can be seen in the situation of French hospitals, which have been targeted by repeated cyber attacks. Their priority is to implement a sustainable data protection strategy, but they cannot do this without the resources to immediately secure as much data as possible.
Awareness and acceptance, the keystones of security performance
With this type of strategy, it is not unusual for general management to express reservations concerning a project that will not necessarily deliver fast results. The best way to overcome this reluctance and convince management is to identify customised indicators tailored to the company’s structure. Prior to this phase of change management, it will be necessary to develop a real understanding of the corporate culture in order to submit an appropriate strategy. An educational approach will be needed to dispel any doubts and to move forward in the right direction.
The process of building support for a security performance strategy and measuring its efficiency must go hand-in-hand with efforts to raise awareness at management level and among all the players in the organisation. This will ensure sufficient sponsors for implementation, together with strong support for the changes that are inevitable in this context. You cannot build support for a security performance strategy if nobody understands what it’s for. The aim here is not so much to identify the right indicators but to find the right words to convince people of the merits of a security strategy, along with its feasibility from a business, financial and technical standpoint. Formulating the project in the right way will ensure unanimous support for a project that will contribute both to security and to the achievement of business goals.
