The Importance of Continuous Improvement in Security Performance Management

Angela Gelnaw | March 22, 2019 | tag: Security Performance Management

When it comes to managing their organization’s cybersecurity performance, security and risk leaders must take a risk-based, outcome-driven approach. They can do so through targeted measurement, continuous monitoring, and detailed planning and forecasting in an effort to measurably reduce cyber risk.

Continuously monitoring an organization’s security posture is just the start in building a mature security performance management program. Businesses need to go beyond continuous monitoring to really be effective — there needs to be a process of continuous improvement.

According to ASQ, the concept of continuous improvement is “the ongoing improvement of … processes through incremental and breakthrough improvements. These efforts can seek “incremental” improvement over time or “breakthrough” improvement all at once.” While breakthrough improvements are effective, it is the incremental improvement over time of security processes and procedures that lead to long-term effective change. There are several principles which make up this model for continuous improvement of cybersecurity, detailed below.

1. Small changes can yield significant improvements.

When managing your security performance, you need to start with a baseline. Baseline performance metrics are typically the best way to start thinking about how to take a more outcome-based approach to managing your organization's security program. For many security and risk leaders - security ratings have become this baseline measure of how effective their overall security program.

But then the question becomes, how do you programmatically improve that baseline measurement over time? By assessing the areas of your program for strengths and weaknesses you can identify areas for improvement. for which if allocating resources to should over time lead to incremental improvements in those weak areas of your program that in the long run strengthen the entire program and positively affect your security posture and the overall security of your organization.

2. Employee feedback identifies opportunities for improvement.

Many savvy companies have implemented security awareness training initiatives so that employees take more responsibility for their company’s cybersecurity. In fact, company culture and employee behavior are two of the key things that will determine whether or not your organization becomes any safer or less vulnerable. Listening closely to employee feedback — since they are the individual contributors who implement many of these security measures — is critical in seeing an organization’s security posture improve. Ultimately, the goal is to create a culture of security awareness; a company that has a culture that cares about security is one that will have better processes in place that will lead to overall better, more effective security programs and to fewer negative outcomes.

3. Incremental improvements lead to long-term value.

Especially when it comes to cybersecurity and security ratings, it can take time for remediation actions to become apparent — both internally and in your security rating.  The reason for this is that "fixing issues" is like a bandaid, simply covering up ongoing issues. But it takes time to truly understand what the process failure issue is and what the right solution should be. Over time, the number of issues should get less as your processes improve — and both your rating improvement and the effectiveness of your security program will follow. Eventually, you will have a better security program to discuss internally and become a better, more trusted business partner to work with.

4. Employees take ownership and are involved in improvement.

Similar to giving feedback that helps shape security initiatives, employees need to take ownership of the security initiatives that your company is implementing. This starts with the allocation of work, where leaders can clearly assign work to "owners", which then makes accountability easier to monitor, measure, and track. This empowers employees to take charge of their own work, identify problems or opportunities for improvement, follow through on implementing their ideas, take credit for the work, and see a measurable impact from their efforts. Ultimately, improving company-wide engagement when it comes to cybersecurity ensures that the topic is top of mind.

5. Constant feedback is key to improvement.

Constant feedback and open communication are required to ensure that visibility is provided to the organization about their security posture — as well as that of their key business partners. The security ratings platform actually enables better communication and collaboration that ultimately leads to greater efficiency, increased transparency, and automation at scale required to measurably reduce cyber risk across your ecosystem.

By understanding which security measures are working within their program, where risk lies across their business ecosystem, and which partners they might not want to work with again, all members of a security and risk team can be a part of ensuring continuous security improvement. Ultimately, ratings facilitate data-driven, risk-based conversations about cybersecurity among key stakeholders including your security team, executives, board members, regulators, investors, and key business partners. This allows all of these stakeholders to quantify and engage with your continuous cybersecurity improvement.

6. Measurable Improvement and Process Repeatability.

Key aspects of security performance management are the ability to plan, allocate, prioritize and measure outcomes of your security efforts over a specific time period. Security ratings allow you to align your investments and actions with the highest measurable impact for your organization’s cybersecurity program over time. Once you know where to improve your processes and you have figured out how to improve, then automation and repetition of those processes over time can lead to greater efficiencies.

BitSight for Security Performance Management enables security and risk leaders to measure the performance of their cybersecurity program, align investments and actions with the highest measurable impact over time, efficiently allocate limited resources on the most critical areas of cyber risk within their organization, as well as facilitate data-driven conversations around cybersecurity among key stakeholders. By continuously tracking security improvements within their organization, security and risk leaders can ensure that they have constant visibility into their state of risk.

3 Ways to Get the Most Out of Your Security Investments

Suggested Posts

4 Tips for Reducing Your Company’s Cyber Exposure

If your organization is like many others, its cyber exposure continues to grow over time. During the pandemic, as attackers sought to exploit unprecedented changes in work environments, 35% of cyberattacks used previously unseen malware...


Cybersecurity Readiness: What Is It and How Do You Evaluate Yours?

Cybersecurity readiness is the ability to identify, prevent, and respond to cyber threats.

Yet despite the daily headlines and warnings, organizations struggle to achieve cybersecurity readiness. Just look at the statistics: 78% of...


Cyber Security Risk Modeling: What Is It And How Does It Benefit Your Organization?

As cyber security threats proliferate, cyber risk conversations are no longer limited to the Security Operations Center (SOC); they command the attention of the C-suite and the boardroom.


Subscribe to get security news and updates in your inbox.