The legendary British Prime Minister Benjamin Disraeli is said to have noted that “There are lies, damn lies, and statistics.” Much of the technology world is focused on statistics and metrics. You’ve often heard it said, “If I can’t measure it, it doesn’t exist.” Known as the McNamara fallacy — named after the business tycoon turned Vietnam-era Secretary of Defense — this famous idea failed miserably as a strategy. While it sounds good to the CEO’s ears, there is a corollary bubbling up below him that implicitly states that “If my boss wants to measure something that doesn’t exist, then I’ll invent it!”
According to our survey data dating back to 2008, despite year after year of high profile security breaches from Heartland Payment Systems to Wikileaks to Sony, security budgets have only increased by single digits. This is hardly enough to keep up with the increasing sophistication of attacks, the avalanche of breach notification laws and the changing business and IT environment.
The changing business and IT environment is perhaps the greatest concern. With a massive explosion of mobile devices and other endpoint form factors and an ever expanding ecosystem of customers, partners, clouds, service providers and supply chains, you increasingly have less and less direct control over your data, your applications and end-user identities. We refer to this expanding ecosystem as the “extended enterprise.” An extended enterprise is one for which, a business function is rarely, if ever, a self-contained workflow within the infrastructure boundaries of the company. We believe that the extended enterprise is such a major shift for CISOs and security professionals that we dedicated our upcoming Security Forum to it as well as a significant stream of research.
At Forrester, we place a great deal of emphasis on relevance and what it means when researching a topic. For the busy executive, it's sometimes difficult to wade through deep lists of operational security metrics and really understand how relevant the information is to the mission of the business. Further to the problem is the need to understand what your metrics say about the security posture of your organization and the health of the business overall.
The draft title of the report I'm currently working on is Information Security Metrics – Present Information That Actually Matters To The Business. In the paper, I plan to focus on the key factors that make security metrics relevant. The idea here is that if people start checking their BlackBerrys and iPhones while you're presenting your report, it's probably time for some new metrics.
Success is the ability to educate positively the C-Level suite in your organization and demonstrate the value you and your information security program provide.