How do CISOs know whether they have sufficient funding? What are the best ways to measure progress? When results have been measured, how can successes and failures be communicated to the rest of the business?
These are questions that CISOs -- as well as any employee involved with information security -- face on a regular basis. They were central to a presentation given by Mike Zachman, deputy CISO of construction at machinery and equipment company Caterpillar Inc., at this year’s Interop Conference.
During his time at Caterpillar, Zachman was responsible for the global development and deployment of the company's information security program. He is currently leading the information security transformation for two of its high-risk business units.
In order to measure and communicate progress, demonstrate strategic alignment, and calibrate with program management, Caterpillar adopted a Capability Maturity Model. The model was developed by Ernst & Young using data from 3,500 companies. It helps the team at Caterpillar assess the maturity of its program, see where it stands in relation to its competition, and identify where improvements are needed.
The visualization of its transformational progress, depicted as a single graph on one slide, is an improvement over the pages of numbers and metrics that CISOs typically handle, said Zachman. While the model isn't meant to be extremely precise, it's designed to give a close estimate of how the company is improving and whether it's investing in the right areas.
Throughout Caterpillar's transformation, the model helped employees recognize that it was focused on several areas of information security, but not all of them. Its security maturity benchmark data can indicate improvements made over multiple years or reveal areas where components of its strategy fall short of the industry average.
After two years, Zachman demonstrated, there was a major difference in how the company had improved across multiple areas of information security. The chart also displayed the achievement of major accomplishments, such as times when Caterpillar documented its information security strategy, implemented mobile device management, and demonstrated improved vulnerability awareness through self-phishing exercises.
Zachman noted that it can be tempting for security professionals to put all of its security data into a series of slides, a methodology that seems more fitting given the amount of work that goes into information security. However, creating a more holistic view of progress is easier to understand and communicate.
Caterpillar's model has also helped demonstrate progress throughout the business.
"If you use a consistent model, it does give you the capability to talk to others who may not be information security professionals and give them something to understand," Zachman explained. As many in the field are aware, information security can be difficult to explain to an executive management team or board of directors.
If done well, a Capability Maturity Model like the one employed by Caterpillar can identify areas of strength and weakness while establishing a baseline for future success. However, it doesn't replace the necessary mountains of operational metrics throughout the organization, Zachman noted. People working in critical areas like configuration management and policy compliance need more detailed information to know that they are effectively doing their jobs.
Interop Las Vegas, taking place April 27-May 1 at Mandalay Bay Resort, is the leading independent technology conference and expo series dedicated to providing technology professionals the unbiased information they need to thrive as new technologies transform the enterprise. IT Pros come to Interop to see the future of technology, the outlook for IT, and the possibilities of what it means to be in IT.