EXPERT ADVICE
The Long Haul

In one of my first jobs, I represented security in regular project inception meetings. Stakeholders representing different business and technical areas would gather to discuss budget, timeline and viability for a series of proposed projects. The meetings were brutal, with millions of dollars in budget on the line. Many were tense enough that they escalated to shouting matches between participants, and there was at least one that ended with a thrown punch.

However, the lesson for me came during the part of the meeting when it was time to set schedule. Since I would have to work closely with the application teams once the schedules were finalized, I paid careful attention to the timeline. After the timeline elapsed, I'd reach out to them to find out where they were in the process. I noticed a peculiar thing: any project with a time horizon out six months or longer vanished.

Like something out of 1984, these projects were just gone. The project manager was working on something else, the developers were committed elsewhere, budget was reallocated. In fact, no documentation existed to suggest that the project had even been proposed. The project was a victim of "out of sight, out of mind."

Never Is a Long Time

For those who really want to see the six-month rule in action, I'd recommend they spend some time as a security professional. Most of us in security have a bushel-full of strategic goals that we'd like to see realized. However, most of them are almost impossible to make happen because the timeline is so far down the road. In other words, the end state where we want to be is beyond the magical six month event horizon (i.e., "never"), and the long-term goal falls down due to necessities in the short term.

For example, look at metrics. The majority of firms have (or had) at least one security metrics initiative. Ask yourself where your metrics program is now -- is it where you wanted it to be? If yours is like most, the answer is no. Sure, there are a few firms that have put together reasonable security metrics, but this is by far the exception rather than the rule. There are other firms that have "redefined their success criteria" to label their metrics program a success -- even though what they have now is anything but what they aimed for at the outset of the project. It might sound hard, but generally speaking, most firms aren't were they wanted to be.

It's not just metrics. Most long-term security goals are in the same boat: compliance frameworks, vendor governance, information security management systems (i.e., your "program"), process efficiency. All of these things can (and often do) fall victim to the six-month rule.

Information security is particularly prone to this because of the pressure that's on us to react as we go through our jobs day to day. It's not hard to see why. Almost every day, we're forced to make at least one immediate tactical decision and in most cases carry it through to execution. That's not easy. In fact, trying to maintain the energy for a payoff months down the road when we're constantly besieged by high-priority emergencies that need our attention now is nigh-on impossible. Who in their right mind would prioritize metrics or program efficiency when the malware du jour is keeping users from getting their e-mail ? Not me.

In Sight, In Mind

We have to ask ourselves, given the reality of information security as a discipline, how can we set ourselves up to succeed strategically? If the giant bolt-on initiative doesn't work, what does? The answer to that, in my opinion, is to make metrics (or any other strategic information security project) less like building a bridge and more like going to the gym.

The thing about building a bridge is that it's absolutely useless until you're done. You have to work continuously all the way through to completion before you can get any value out of it. By contrast, going to the gym gives you some value each and every time you go -- the more you go, the more value you get. If you do a workout every day -- even if on days that you're busy you do less of a workout than on days that you're not -- very soon you'll see some success (even if it's not as rapid as it would be if you had time for the full drill every single day.) As you work out more, you'll get better at it over time; as you learn how to use the equipment and as your body becomes more attuned to the exercise, your workout will be more and more effective.

Turning back to the example of metrics -- if you use the "build a bridge" model (where it's only useful when you're done), you'll find that it might take you long enough to get where you want to be that the project is scrapped, people lose interest, or management gets frustrated with lack of results. If, on the other hand, you create a "culture of metrics" where you (and others) stay focused on integrating metrics into day-to-day activities, you'll find yourself seeing targets of opportunity to gather metrics that you might have missed before when it wasn't at the top of mind.

For example, try to slowly integrate metrics into the things you already do and as opportunity arises. Deploying a new system? Find out what kind of data you can harvest and make sure they deploy it so that it sends you that data. Setting up a review process for vendors? Come up with some kind of scoring system and keep track of how vendors perform relative to each other. As you add indicators to new processes or systems, each incremental investment provides value and helps you push toward the end state.

Is it the kind of holy grail dashboard that gives that you the current state of your program at a glance? No. That won't come until much, much later. However, if the dashboard is "pie in the sky" and won't pay off now, chances are you'll never have it. If you can get utility from the parts with the goal of integrating them later, you'll get there.