It can be quite difficult to determine exactly what “security” is. For instance, within telecom, it is about getting rid of disruptive elements that can hamper communication. In IT, it is about stopping data from getting stolen or destroyed. In terms of people security, it can be about keeping people safe, or it can be about keeping objects and data safe from people. Security and safety are not the same thing. Safety is about the here and now, whereas security is about reliability and continuity. It is security that helps to put safety in place, in other words.
How to Manage Security
If you want to manage your security, you have to be able to measure it first. Your security personal must understand the variety of tools and processes you have in place and they must understand how efficient these programs and tools are. Furthermore, they must be aware of what they are accountable for, and what actions they can take should they spot something that doesn’t look right. All of this also has to be supported by important metrics. Data has to be gathered that allows the answering of specific questions, including:
- How much more secure are we today than yesterday?
- How much more secure are we compared to the competition?
- Are we secure enough?
Of course, it is incredibly difficult to generate security metrics. This is true not in the least because reducing security attacks or threats, or even those threats being absent, does not necessarily mean that security is effective. In fact, in most cases, this reduction or absence is down simply to luck. Luck cannot be measured by its very nature, which is why it should also be dismissed by managers. Instead, they should look at critical elements such as asset value, threats, and vulnerability instead.
Critical Elements to Security
Asset value is quite easy to measure, as it is down to be the good reputation of a business. Threat, on the other hand, is more complex because it measures chance – the chance of a person, an activity, or an incident to lead to harm. Lastly, there is vulnerability, which looks at how likely it is for an organization to sustain harm by looking at its equipment, its people, its activities, and its facility. For instance, if a company installs a new computer system to increase data confidentiality, it should lower their threat level. At the same time, it means they keep all their data in one place, which increases their vulnerability.
Experts are still learning about how to properly manage security, and great strides are being taken. Pioneers in the industry have been working on measurements and metrics for a long time, and their efforts are starting to pay off. They have a long way to go, and we are still a long way away from having a single mathematical formula that can indicate how good or poor the security of an organization is. However, having at least a baseline of understanding of the three key elements – asset value, vulnerability, and threat – will get you a long way towards being more secure.