Monitoring Security Compliance
There are a number of metrics that one can monitor to see if one is in compliance with corporate and government security requirements. Unfortunately, governance is lacking at many organizations or the governance supervisors are paying attention to the wrong metrics.
Below are three metrics that everyone should consider monitoring:
1. Program participation levels:
Too often one or two units sign up to participate and the executives check the task as done. The chief security officer (CSO) and CEO should be ensuring every unit is fully participating.
2. Verification that third party providers are in compliance:
All suppliers of products or services should be conforming to the security requirements. This includes software and software patches, cloud providers, and non-IT service providers.
3. Audit security compliance and monitor the red flags:
Whether it is internally written code, handheld devices or clean desks, there should be governance procedures in place to ensure data is fully protected. Audits should be done periodically and the number of red flags found and the trends will provide excellent indicators of the company's security risk exposure and areas that need to be cleaned up.
There are a myriad number of metrics one can monitor in addition to the ones above. However, it is important to ensure that the chosen metrics are actionable and not just a set of numbers that are nice to know.
According to a recent Raytheon/Websense survey only 28 percent of executive respondents felt the security metrics used in their organizations were "completely effective," whereas 65 percent felt the metrics were "somewhat effective." There is tremendous room for improvement in companies of all sizes across all industries.
The risk exposure for failing to implement reasonable security practices is enormous – not only in terms of penalties but also in terms of customer and supplier loyalty and future revenue streams. Properly securing customer data is not just a good thing to do to keep customers satisfied but it is a sound business practice.
With all the breaches in the news almost weekly it could lead one to believe falsely that most companies are choosing to ignore reasonable security practices. There are failures of commission as well as omission and many individuals just do not follow through on corporate practices, which is why monitoring is a must.
Business and IT executives should ensure sound security practices are in place, constantly monitored, and reported to the CEO and Board of Directors on a periodic basis in the course of each fiscal year.
About the author
Mr. Braunstein serves as Chairman/CEO and Executive Director of Research at the Robert Frances Group (RFG). In addition to his corporate role, he helps his clients wrestle with a range of business, management, regulatory, and technology issues.
He has deep and broad experience in business strategy management, business process management, enterprise systems architecture, financing, mission-critical systems, project and portfolio management, procurement, risk management, sustainability, and vendor management. Cal also chaired a Business Operational Risk Council whose membership consisted of a number of top global financial institutions.