Most cars nowadays come with driver and passenger airbags. It’s a great safety feature that’s helped save numerous lives since installing them routinely has become the norm. But sometimes, though it is rare, airbags fail to deploy even when circumstances arise where they should. Ask yourself: How would you know the difference between an airbag that works compared to one that doesn’t? The “airbag” light may be on, everything might appear to be working, but do you actually have any hard evidence that the system works? Short of actually crashing the car to test it, the answer is probably no.
Now, I’m not bringing this up to scare anybody, but it’s a fact of life that sometimes a functional security mechanism (i.e., a working preventative control like an automobile airbag) looks exactly like a non-functional one. There are plenty of examples: ground fault circuit interrupters, burglar alarms, vehicle tracking systems, etc. The point is, sometimes it’s hard to tell if a security mechanism is working unless it fails in the face of the event it’s designed to protect against.
This is no less true when it comes to security in an enterprise. A functional security program looks very similar to a non-functional one. Now, security professionals will recognize this isn’t exactly news. We’ve known for a long time how hard it is to measure success in security. However, it’s a useful truism for security professionals to keep front of mind. Why? Because maybe your program isn’t working … and not knowing when and why is a big deal. Short of thorough security metrics (most shops aren’t there yet) or a security event of catastrophic magnitude, warning signs are subtle. But there are a few things that organizations can keep an eye out for that are indicative of systemic problems.
Warning Sign #1: You Didn’t Get the Invite
Information security organization is most effective when viewed as a trusted partner — by business partners, application developers, compliance, legal, senior management and, most of all, other areas of IT. The best way to tell whether security is seen as a trusted advisor and a useful organization to partner with in solving business challenges is the degree to which team members are invited to participate in ongoing planning activities, both technology related and otherwise.
When the security organization stops getting invited to the table, you know there’s a problem. It’s a subtle warning sign highly symptomatic of an underlying problem. When security finds itself on the outs, a proactive approach is to get more involved; perhaps a shift in how your organization operates once involved is a good idea.
Warning Sign #2: Partners going it alone
In a large organization that have multiple technical teams supporting different business areas, it’s highly likely that there are going to be security-savvy folks outside of the security organization. This isn’t normally cause for concern. But situations in which technology partners bring in new staff to perform functions that overlap with central security roles are a warning sign.
Likewise, it a concern when they implement competing tools and services.
A situation like this is indicative that central services are either insufficiently marketed (partners don’t know about them) or that they’re not meeting customer needs (partners don’t view them as useful). Asking business partners directly why they chose to go the direction they did is likely to prove instructive of the underlying reason. Taking swift action to make it more appealing (i.e. cheaper or better) for them to come to you next time is a useful step.
Warning Sign #3: Nobody Reads the Memo
Quite a few of the tasks key to security hinge on reporting. We generate risk reports, audit reports, operational event reports, metrics and trend data, etc. When those reports go unread, it’s a bad sign.
Casually — and, if you can, spontaneously — ask consumers of those reports for feedback, maybe about a formatting or structural change, to see if they’re actually reading them. Or, if the report format supports it, enable view tracking to see if the reports are actually opened by those on the receiving end. If they aren’t, chances are good that those reports aren’t viewed as relevant, and it’s probably time to revisit what you’re reporting on.
Warning Sign #4: Tasks Stall … and Stay Stalled
When security is viewed as a critical activity, it enjoys management visibility and priority in allocating resource time. When it isn’t viewed as critical, other tasks take precedence. When the security team finds that simple hygiene-related tasks (patching, system maintenance, etc.) stall for long periods of time, it’s symptomatic of a broader deprioritization of security activities.
I’m not talking here about a patch cycle being deferred temporarily due to a production deployment or other high-profile event. Instead, I’m referring to situations where simple tasks take an inordinately long time due to lack of participation from stakeholders. When this occurs, it means security isn’t enough of a priority to make things happen. This may necessitate redirection of priorities from the top down.
Warning Sign #5: Employee Morale
Lastly, it may sound trite on the surface, but morale of employees within the security organization is a useful barometer of effectiveness. In other words, when employees are dissatisfied, either with their jobs or the organization overall, it’s a telling sign. Periodically gauging employee morale by asking them directly for feedback can help you find out if employees are dissatisfied.
If they are, systematically collect and evaluate their concerns and look for common themes. Take action on those themes. Since folks in the trenches are likely the ones with their fingers on the pulse of things, this is some of the best data you can get.
Now, obviously, these aren’t the only warning signs — and none of them are rocket science, per se. Not only that, there are more accurate ways to collect performance data (i.e. security metrics). But since good metrics initiatives are rare, keeping an eye open for these warning signs can help you spot an underperforming security program and take remedial action before a major event throws deficiencies into stark relief.