Building an Infosec Program from Scratch: Part 2 — Setting Objectives

Building on the first instalment of the series, Building and Infosec Program from Scratch, we will discuss how to move from understanding the fundamentals of an information security program to determining the direction your program needs to go.

This is a critical distinction and one that is individual to every single business out there. Before we go on, lets touch on the fundamentals again. The main point in developing a solid foundation is determining the critical success factors for your business. These determining factors will define how the business manages risk in general and also give you a sense of capacity and tooling needs for a full scale information security program.

Why Setting Objectives is Important

Setting objectives in the context of building an information security program will help your organisation track the progress of managing risk and assessing strategic progress.

These objectives can come in the form of the well known key performance indicator (KPI). These show data based evidence of progress towards goals your organisation poses.

Taken over time, meeting goals on time can demonstrate managements’ collective commitment to effective steering of an organisation. These proven actions can show evidence of aptitude to investors or other stakeholders. Most importantly, they tell a story of the capabilities and journey the organisation itself has taken.

How to Set Objectives

Setting objectives depends on the fundamentals of the business operations that your organisation conducts. This is the very reason why part 1 of this series was the foundation and addressed business operations. Each of these sections builds on each other.

So knowing what kind of business you are in, the strategy you have and the future of the company can assist with creating milestones.

These milestones should be a guideline. Look towards what the organisation should achieve in the next year, 3 years, and 5 years. Think deeply about all of the aspects, both technical and administrative that these touch. As the organisation experiences growing pains, you will have to tackle issues like employee hiring, upskilling, and retention.

Organisations that grow have the challenge of keeping employees. These firms are usually not in the position to provide great benefits or high pay and are usually quite stressful. Getting and keeping top talent becomes difficult and is often the determining factor between success and failure.

So, objectives are not always directly related to security but may have indirect consequences thereof. It is critical to obtain and nourish top talent as they are the real outside the box type thinkers. Often times the real root cause of security incidents is something that can’t be measured and in some cases lies in policy that unintentionally creates risk. Experienced professionals can spot this and help reduce risk which can be used to help your organisation grow.

Design objectives around strategic goals and the skills you have onboard.

What Kind of KPIs to Check

Knowing all of this, below are some KPIs you might want to track. This is not an exhaustive list and you definitely should develop tailored KPIs for your organisation, but these should be a good start.

  • False positive on security alerts and incidents (the fewer the better)
  • Mean time incident response and recovery (the lower the better)
  • Phishing email response or open rate (the lower the better)
  • Cyber security awareness training (the more participants, the better)
  • KPIs related to 3rd party SLA agreements
  • How many open risks are there and what is there severity (the lower amount & severity, the better)

What is Next?

In the next article, we will talk about scaling an information security program from a small company’s perspective through growth into a large enterprise to encompass the demands of both organisations.

InfoSec Consultant & Leader| Ransomware Expert | Risk Management Strategist | Published Author | CISSP — CGEIT