Security Culture

The ideas, customs, and social behavior of a particular people or society
that allows them to be free from danger or threats.

Are your information security goals SMART?

Daniel Andersson

Information Security Advisor and Consultant at CAPSAB
Daniel is a senior security manager in the banking and card industry; he has worked with PCI DSS since 2005. Daniel has a broad experience regarding implementation of PCI DSS.

Daniel also has an IT engineering background working with a broad selection of platforms and communication equipment.

Daniel is ISACA Certified Information Security Manager (CISM) and PCI Professional (PCIP) and certified Security Culture Practitioner.

smartGoalsHave you already set your goals for your information security program? Did you ensure that the goals are Specific, Measurable, Achievable, Relevant and Time-specific (S.M.A.R.T)?

Ensure that your goals are S.M.A.R.T!

And you may ask yourself, how do I know if my goals are SMART? Let’s demonstrate how you can take a goal and test it

Let’s assume you set the goal “All employees shall have full knowledge about the security policy”

By checking above goal towards each SMART component we are able to see how the goals meets up

Is the goal specific? Yes it do tell us that all employees shall know the full security policy.

Is the goal measurable? Yes we may construct a test to test the knowledge of each employee.

Is the goal achievable? I would probably say that it could be that

Is the goal relevant? Probably not, although all employees are responsible for security it may be that they job only requires them to know a part of the security policy. So let’s redefine the goal to be relevant.

“All employee shall have the knowledge about the company security policy that applies to their job functions”.

The goal is now relevant, as it is hard to argue that employees does not need knowledge about relevant parts of the security policy.

Is the goal time-specific? No, there are no mention of time anywhere in the goal, in theory the goal will never fail as we have not specified how long we are allowed to try to fulfill the goal. Let´s redefine the goal again adding time parameter

“All employee shall have the knowledge about the company security policy that applies to their job functions within one month”.

Above goal would be a good goal to set in a project or when rolling out new revisions of the security policy, as goals are needed for the on-going security related work an adaption of the goal could be

“All employee shall have the knowledge about the company security policy that applies to their job functions before they are allowed to access sensitive data”.

Using SMART goals has been proven to give more success in reaching the goals, this due to the fact that the goals are more structured and easier to follow up, and you have also in beforehand evaluated and deemed the goals to be achievable, as having goals that you may never achieve will drain your energy and drive for reaching the goals.

You will easier reach your goals using the SMART method

In addition to SMART goals there are other good tricks to use to make it easier to achieve your goals, instead of having a few really large and heavy goals, try to divide them into smaller pieces, then you are able to see that you can tick of some of the goals in quite a fast pace. As you are probably reporting the goal fulfillment to your management both you and they will have a good feeling when you can prove that you are reaching your goals in time over and over again.