Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Jul 16, 2013

SMotW #66: organization's financial health

Information Security Metric of the Week #66: the organization's economic situation

An organization that is in dire straits, financially, is essentially forced to dig-in, concentrating its remaining resources on sheer survival.  As such, it is likely to minimize its expenditure in all discretionary areas, including some (but hopefully not all!) aspects of information security.  Cutbacks may be severe, creating a depressing atmosphere that leads to the best people leaving, hastening the vicious downward spiral.  Conversely, an organization that is riding high, financially, is likely to have its infrastructure well in hand with enough cash left over to invest in whatever people and projects management sees fit to support. Proposals to refine its information security arrangements towards best practice are far more likely to gain support in this situation, while it is more likely that the organization can afford the quality of people to make things happen.  

So, at this strategic or gross level of analysis, it is not unreasonable to surmise that there is a relationship between the organization's overall financial health or economic status and the state of its information security.  Against that background, Acme's managers used the PRAGMATIC approach to explore the possibility of using Acme's financial health as an indicator of its information security situation.  

Given that the links between economics and security are, to be frank, somewhat tenuous, the metric's score was not terribly impressive:

P
R
A
G
M
A
T
I
C
Score
72
80
10
80
80
80
61
80
79
69%

The very low 10% rating for Actionability points to an obvious concern ("If the metric was well below par, would we have any idea what to do to fix it?"), hence this particular infosec metric seems unlikely to feature in Acme management's cockpit instrumentation.  

During the PRAGMATIC discussion, however, one of the managers raised an intriguing counterpoint: if the two factors are indeed linked, wouldn't Acme's infosec status also indicate its financial health?  Might high-level infosec metrics be of value for general corporate management?  "Are we looking at this the wrong way around?" she asked.  

While the discussion headed off at a tangent on leading and lagging metrics, the CISO quietly contemplated that in those cold, dark, pre-PRAGMATIC times, this kind of creative discussion around metrics simply would not have occurred in the C-suite.  There was no common understanding about metrics, and little appetite or even opportunity to discuss their design or selection since management was forever desperately trying to make sense of the untidy heap of crappy metrics before them.  They were far too busy digging to notice the hole.