If you want a practical example of some of the difficulties around security metrics, give a listen to the current immigration reform debates.
This week, the congressional "gang of eight" that has been working on an immigration reform package is due to release its proposals to the world. Prior to this release, many conservatives have lined up against some of the reform plan's supposed features. One of the rallying points for the opposition is that any sort of reform should be enacted only after our borders are secure.
Sounds reasonable, to be certain. The only problem right now is defining what "secure" means in this context.
In the past, the Department of Homeland Security has used a metric called "operational control" to define border security. This metric measured the percentage of the border over which the government had positive monitoring and could respond in a reasonable amount of time to suspected border incursions. The operational control metric has since been scrapped as the data it provided was deemend "largely meaningness" in the political context of border security. For the past few years DHS has been struggling to come up with a metric that makes sense; to date one is still lacking. Senator John McCain pointed this out in a recent congressional hearing on immigration, as well as the need for such a metric in order to make immigration reform meaningful.
The new immigration proposal is reported to tie reform to border security, with a requirement for the US to be able to successfully interdict at least 90% of illegal immigration. No information has been released as of yesterday as to how they indend to accomplish this...or, more fundamentally, how they are going to measure success.
Sound familiar? :)
Many of us have faced (are facing?) similar problems with our metrics. Our organizational leadership has a desire to create a secure environment, but does not necessarily know what that environment looks and feels like. If we are lucky, our leaders understand that absolute security is oxymoronic as long as their doors are open for business. Still, what does an appropriately secure state look and feel like? What are its indicators? How do we measure it?
I submit to you that our failure as a professional to engage in these difficult conversations with our leadership is one of the reasons that compliance has become the de facto benchmark for security. Compliance is easy to define, easy to measure, and easy to recognize...but as we all know compliance is not an accurate measure of security for complex, multi-faceted organizations. Being PCI compliant, for example, does nothing to ensure appropriate protections for your intellectual property, your healthcare data, or your personnel. While our metrics and the decisioning behind them are (hopefully) not as politically charged as those DHS must develop, we need to continue to evolve our reporting schema if we wish to show the true value of what we do for our organizations.
Keep an eye on the immigration debates in the weeks to come. Listen to discussions of securing the borders. If nothing else, it's a useful reminder to us all on the importance of properly framing and engagin in metrics discussions in our own organizations.
No comments:
Post a Comment