Measuring success in security

Can success be measured in security? One industry leader argues that it cannot, and that needs to change

One of my favorite questions to ask as a journalist and reporter has always been “How do you measure success?”in a recent interview I conducted with him. He notes the organizational aspect of security is something that needs to be addressed. Companies have varied job architectures within their structure and are trying to figure where to place security, what they should focus on and do. He believes as a result, security lacks what he called a "baseline" and needs to figure what success looks like. What kinds of functions should be available in the company to really cover security well? Where should they be placed and what should they do? “

I’ve covered several different beats over the years in my journalism career. I covered local education when I was a television reporter in Vermont. I wrote about human resources, staff and career management while writing for a local business publication and even had the Windows OS as a beat for a while when writing for a online tech site.  

While the areas of coverage I’ve written about over the years are varied, the question was frequently applicable time and time again: How do you measure success? In asking it to so many types of professionals, I've found it serves as an excellent gauge for many factors. It also tends to opens the source up to offering additional insights on what challenges they've encountered, and how their mission may have changed from the outset.

When I began focusing on security for CSO in 2008, I continued asking sources that question for many stories. While the answer still frequently provides great insight, I've also noticed that often the response is: “Measuring success is difficult in security.”

Former Zynga CSO and Cloud Security Alliance Cofounder Nils Puhlman addresses this conundrum in security

Puhlman goes on to say:

“At a company that has had a security executive for five years, how does the CEO of that company know the security program is running well? For every other profession, you have industry publications. There are other companies you can ask because there is enough comparative information. But because security is so individual and unique, it's hard to compare that. That shouldn't be the case. That makes it hard for any company, any board of directors, to assess what needs to be changed or fixed or adjusted. “

CSO's Derek Slater recently addressed the oft-lamented difficulty of lack of hard numbers, specifically when it comes to applying real risk management to security.

True, there are metrics in security. As an example, Lance Spitzer of SANS Institute Securing the Human Program recently noted that they are now offering a set of free metric tools designed to give security leaders the ability to track and measure the impact of their own security awareness programs. But concrete measurements are still difficult to ascertain in security.

How do you measure success in your security department? Does that translate at all into how success is measured throughout the rest of your organization? Leave a comment with your thoughts or email me at

Cybersecurity market research: Top 15 statistics for 2017