Tech Industry Events and Webinars
Find upcoming e-commerce and technology conferences, trade shows, workshops and webinars. Visit ALL EC Events today.
There are times when looking at something narrowly can be more effective than taking a wider and more comprehensive view. If you don’t believe me, consider the experience of looking at organisms in a microscope or watching a bird through binoculars. Distractions are minimized, allowing optimal evaluation and analysis of what’s under investigation.
In security, the normative way that we understand and examine the security of our organizations has a focus similar to the examples above: We examine the effectiveness of the security countermeasures (i.e., controls) put in place to achieve security objectives.
If you’ve ever had a program-level security assessment performed, for example, chances are good the assessor evaluated your controls — what wasn’t working and why — and recommended improvements to make them more effective.
Like using a microscope or binoculars, it’s useful to look at security from an executive vantage point. That type of analysis helps us understand whether we’re getting what we expect from the countermeasures put in place. When one or more of those methods or mechanisms fail to serve the function they were intended to perform, or when they don’t have sufficient scope to protect the organization fully, it’s helpful to know that.
Just like focusing on a bird through binoculars occludes your ability to see the broader landscape, looking at security effectiveness alone does not provide the full picture of what you as a security manager or executive might care about.
There are dimensions to examine beyond effectiveness that are both germane and relevant to security operations. Surprisingly, many organizations do not examine them at all, which can mean they are not using their resources optimally.
For the purpose of illustration, consider multiple ways to implement the same countermeasure. One company might implement a countermeasure in a very mature way — for example, following processes that are documented, and implementing measures to learn and improve its operation. Another might just sort of wing it.
Say Company A implements a patch management process that is well documented and highly automated, while Company B leaves it to a junior intern. In this respect, maturity is another dimension beyond effectiveness. Effectiveness asks, “does the countermeasure work or not?” Maturity asks if it is resilient to personnel changes, changes in business processes, or other changes.
In addition to maturity, another dimension…