🔦 Spotlight - Measuring vague concepts

What to do when your CEO says "what's the impact of IT security?"

I wrote about how BizOps can measure (at least some of) its impact on the business. A few people wrote back with questions about their specific situations and how might they be able to apply some of those methods. The examples I gave are of course single point measurements. They help, but they are not the answer to a question of the scope “How do I measure the impact of IT security on my business?” This question is big, vague, but like anything, it is not impossible to tackle. It is of course not about measuring only BizOps, but entire orgs, motions, or initiatives. In this post I am going to dig in a way to define and measure impact of stuff that is tough to measure.

Back to a real world example that I had to tackle while at Hopin: How do you measure the effectiveness of IT security?

Photo by Diana Polekhina on Unsplash

I heard of teams that measure this by e.g. how many employees took a certain training, whether there is a specific system implemented, whether certain certificates are obtained. These are all the wrong measures. With these measures you are measuring something but not the real impact. (I will come back to this later)

To understand the impact of IT security, you need to know two things:

• what needs to be measured,

• and how.

You’d need to understand the drivers of the impact. I like to drill using a simple What does that mean technique. (The What does that mean technique is simply a derivative of the ‘5 Whys’ technique, but with a sometimes better prompt.)