PROTIP: Publish Security Scoreboards Internally

 

Scoreboards have been around forever, used to show who’s winning, how competitors rank, and sometimes track what has transpired. Scoreboards are seen in sports, video games, stock markets, box office sales, traffic analytics, education, and on and on. As a fundamental concept, scoreboards also have the powerful ability to harness a basic human instinct — competitiveness. Leaders at the top of a scoreboard will naturally work to preserve their position, those further down are innately compelled to fight to move up, and collectively all participants similarly driven towards a common objective. Using this influence many organizations have found that using scoreboards to measure and communicate “security” objectives can be amazingly effective at aligning business interests.

Achieving similar success requires first choosing a useful and collectable set of security metrics where the organization would like to improve. Anything measured tends to improve. These metrics may be the total number of vulnerabilities, remediation rates & speed, vulnerabilities-per-input, percentage of developers passing awareness training, time exposed to serious issues, and so on. Next, start collecting data. When enough is gathered, the results are properly formatted, typically organized by subsidiary, business unit, or team, and the reports published internally for all too see. Security scoreboard leaders will be proud to see their performance recognized as they set the standard for coworkers to follow. Laggards feel a sense of pressure to do the things necessary to close the gap with their peers. Less and less will security teams have to chase down the weakest links, those needing the most help will begin seeking them out.