Security innovation metrics
The final two pieces of awareness material for the security innovation module's management stream fell neatly into place today.
I've developed a kind of maturity metric for security innovation - a simple, consolidated measure that literally 'takes account' of the mesh of factors at the intersection of information security with innovation and creativity.
The GQM approach Krag and I teach through our PRAGMATIC security metrics courses is ideal for this. Elaborating on the business goals in the subject area is the starting point, leading naturally on a set of questions arising, which in turn become rows in the scoring table at the core of the metric.
The metric is systematically defined using our standard template, adding details such as who performs the measurement, how and when they do it and to whom it gets reported. The PRAGMATIC score followed by a brief assessment of the pros and cons of the metric completes the picture, rounding-out a reasonably succinct yet thought-provoking paper worth talking through with management. Regardless of whether the metric is actually adopted in the end, the thinking and discussion around it satisfy the security awareness objective. Job done!
The final management piece for the module is an 'elevator pitch' - just 100 carefully chosen words summing up the module's main security awareness messages for busy senior managers. Although it took me less than an hour to get those 100 words down on paper, they are the culmination of several months' research and thinking. The pitch is more than just a helicopter summary: it's main purpose is to catch the reader's imagination and stimulate them to consider the topic, thereby priming them for subsequent informal conversations with colleagues - socializing security in our terms, also part of the awareness objective.
No time to lose, the professionals' materials need to be completed sharpish. Pop by tomorrow to see how they pan out.