JANUARY - 20219MANUFACTURINGTECHNOLOGYINSIGHTSService level indicators (SLIs) are communicated in real-time to the customer and used to drive prioritization for service improvementin real-time to the customer and used to drive prioritization for service improvement. In practice, what this means is that for each security service that the team delivers to its customers, there are defined metrics aligned with business objectives. The customer will always know and understand the performance of the services being delivered; this transparency is a functional requirement for accountability, and thus a continuous maturation of those services.Continuous improvement requires continuous measurement. So how do we measure what matters? Start conservatively and prioritize. The customer must help define high priority measurements based on risk for each service delivered. These measurements should align with and flow from established processes, which means that your policies and standards--the makeup of your information security management system--must undergird what you are measuring and thus what success looks like. Measuring informal or inconsistent processes will result in garbage data, as will providing metrics that are untethered from business outcomes. The practice of measuring and monitoring must be automated so it doesn't detract from service delivery efforts.Once you have run through the process of defining and implementing what successful security service delivery looks like from the customer perspective for each service, you generate a baseline performance view. This may indicate that your SLOs need to be adjusted to account for reality. For example, the volume of DLP alerts could make a 15-minute SLO impossible to achieve for your incident response team, and your error budget will be consumed immediately (rendering it impossible to devote the necessary resources for service improvement). You will likely find that SLOs must be balanced across your different services so that your service portfolio can coexist successfully as a whole. This illustrates why bilateral negotiations on expectations and delivery between customer and provider is critical. The customer will understand prioritization of delivery between different services, which should align to business objectives; this in turn should translate naturally into SLO adjustments across the service portfolio.Technology in general--and security as a specialty practice area--is composed of people, processes, and technology. As a practice, InfoSec generally leans into the people and technology aspects. Spending resources on your people and technology is admittedly more fun than developing and continuously refining your processes. However, if you do not apply rigor and success criteria to security, you can only be accidentally successful. Security cannot be ad-hoc if the goal is to consistently drive positive business outcomes. To adopt the SRE model for Information Security service delivery is to fundamentally rethink the relationship InfoSec has with the business. It is an approach where we must measure what matters most and be radically transparent with our customers. This approach is both liberating and terrifying--liberating because it provides a fact-based framework that will illustrate clearly where Information Security is delivering business value ....and terrifying because it provides a fact-based framework that will illustrate clearly where Information Security is not delivering business value. Your position on the continuum between liberation and terror is dependent on how you have approached service delivery in the past.Now is the time for Information Security to transform itself into a business-enabler. To obtain a seat at the table, it is critical that InfoSec is viewed as a partner by the business. To do so, InfoSec must demonstrate that it provides value and is not merely a cost center. This means speaking the language of the business and embracing the role of a security service provider. It means leading in terms of radical transparency and the accountability that it enables. It means measuring what matters. Joshua Brown
< Page 8 | Page 10 >