Security Critical Success Factors

Within the context of information security, Critical Success Factors (CSFs) are objectives or goals that must be met before an organization can provide reasonable and appropriate protection of its information assets.  In this article, I explore seven CSFs that lead to an acceptable level of information asset assurance.

1.  Management support.  The support of all levels of management is the foundation for an effective security program.  But to optimize this CSF, support must begin in the CEO’s office and spread down to all subsequent management layers. 

2.  Security policies, standards, guidelines, and procedures designed to meet strategic and operational business objectives.  Following management support, a documented security program must be put in place.  A policy contains:

  • A description of a program element or operational system
  • The objectives to be met through adherence to the policy
  • High-level statements of administrative, physical, or technical guidance for reaching the policy’s objectives
  • Responsibility for administration, application, and enforcement of the policy
  • Possible sanctions for failing to follow the policy

Standards are mandatory configurations or activities, the performance of which supports one or more policy objectives.  Guidelines differ from standards in one characteristic; they aren’t mandatory.  Managers can use guidelines to make decisions about security issues when no specific standard exists.  A procedure is a step-by-step process that results in a specific, consistent outcome.  A detailed database server build is an example of a procedure.  Procedures should support compliance with security policies, standards, and guidelines.

3.  Assurance is reached through risk management.  Unless an organization has an unlimited security budget, resource constraints prevent a security manager from reducing overall risk to zero.  Instead, she must decide how to apply her security dollars to achieve the greatest impact.  This is accomplished through the use of risk management.  Well defined risk management processes can provide her with a clear picture of the threats and vulnerabilities related to each critical business system.   Armed with this information, she can target specific activities to reduce risk to levels acceptable to senior management. 

4.  Active security awareness program.  The existence of a security program has no impact on an enterprise if employees are not made aware of it.  An effective security awareness program goes beyond posting policies, standards, guidelines, and procedures to the company Intranet.  Maximum impact is achieved through frequent formal communication, in which employees are educated on what security means to the business and to them.

5.  An adequate security budget.  The first four CSFs are excellent tools, but are useless without the funding necessary to implement and manage the activities that support them.  A successful security budget should, at a minimum, include dollars for infrastructure, penetration and vulnerability tests, day-to-day tasks performed by a dedicated security team.

6.  A documented Incident Management Program supported by a trained Incident Response Team (IRT).  One of the three basic areas of concern for security managers is availability.  A well designed Incident Management Program, executed by a regularly trained IRT, ensures a rapid recovery from security incidents with a minimal impact on the business.

7.  Simple, meaningful metrics.  It’s important to measure the success of the first six CSFs.  Metrics provide the tool necessary to accomplish this.  But a manager must make sure metrics management doesn’t become a career path in his organization.  Instead, metrics should measure the outcomes of critical security systems and processes.  Once collected and analyzed, the results show senior management the business value realized from security spending.

This is just a basic list of success factors.  The list might grow, shrink, or consist of a much different set of CSFs.  The important thing is the process through which a manager arrives at the end result. The journey required to build a meaningful list of CSFs has some side effects.  The most important is a better understanding of the strengths, vulnerabilities, and threats related to your network and to individual systems. 

The topics in this article are covered in more detail in my upcoming book, “Just Enough Security,” which is scheduled for publication in April of this year. 

Author:  Tom Olzak

Listen to our Podcasts:  add to my PodNova

Your email:  
subscribe unsubscribe  


Leave a Reply

You must be logged in to post a comment.