Healthcare has many parallels with information security since both are based on prevention, monitoring, diagnosis and correction to avoid negative results. If medical success, however, were measured only by prevention of death, doctors would be the worst professionals in the world. After all, we are all going to die one day.
Moreover, if we take that same rationale for information security and measure its success or failure only through incident prevention, we will see some successes, but, eventually, there may be failures, perhaps catastrophic. Does this sound familiar?
Instead of waiting for these extreme results, we must track indicators (or risk factors) that can positively affect our situation. AS in healthcare, there are risk factors beyond our control, such as gender, age and family history, and behavioral factors that can have a significant impact on our health, including diet, physical activity level and use of tobacco products.
Some decisions about which risk factors to address have already been made in your organization—if not scientifically, at least through common sense. The decisions to implement any defensive technology such as firewalls, antivirus software or web filtering were made based on the risk factors inherent to your business—in most cases, to act on something that you cannot control (threats).
So, what should you measure to improve the health of your information security? Although the evidence may not be as conclusive as in the case of healthcare, there are many good sources of good practice provided by ISACA® and groups such as SANS, the US National Institute for Standards and Technology (NIST) and the International Organization for Standardization (ISO). The most important thing is to pay special attention to the factors you can control: the processes in place and, in particular, the management of the technologies you have already implemented.
To continue the analogy with healthcare, this can be compared to physical exercise and heart disease: It may not be easy to get off the couch, but the risk of not doing so is high and the benefits are proven. However, measuring these indicators alone will not protect you. We need to cultivate good behaviors—in other words, choosing to "get off the couch" and apply good security management practices (factors that you can control) will have a dramatic effect on your organization and your health as well.
Read Julio Pontes’ recent Journal article:
“Automation, Governance and Security in a Software-Defined World,” ISACA® Journal, volume 6, 2019.