And from the business perspective, how does it impact competitive advantage, which is a complex and difficult core business metric. No matter how we measure for competitive advantage and information security, the people doing the work are always part of the equation. Better people equals better results, without fail. Higher morale usually figures in, as well. Both of which contribute prominently to information security, and both of which are almost universally ignored as risk indicators in security assessments.
If we can use our information security assessment and education processes to get at both morale and employee satisfaction, we can provide an indicator that not only has value to security, but also business advantage. Metrics that help security and the business let us integrate security into business operations.
Morale is difficult to measure directly, because people do not want to be honest about being unhappy in their jobs. Either the job market is worker friendly, and any unhappy workers with talent can easily move on, or it is employer friendly, and people do not want to possibly lose their jobs by expressing any negative opinion. But there are signs we can use, especially in the tech world of security and they give us insight into both line satisfaction and management satisfaction.
Indicator 1: Training Opportunities
Are the employees being offered training? Are they taking training? Does the result support the business? Are they being denied training due to budget constraints? Are they asking? Have they stopped asking? When is the last time each employee attended some form of training that increased their value to the business (which is it's own metric)?
Employees that are not being given opportunities to grow their skill set have limited opportunity, which may contribute to low morale. Especially if it is a situation that occurs regularly. Employees that do not ask, are not concerned with advancing the business. They are, at best, mediocre assets collecting a paycheck, but at worst, drags on the rest of the department.
Managers who are not aware of this situation and working to alleviate it are more of a problem than the employees. Management is always responsible for low morale and lack of forward momentum on the line. A good manager will figure out ways to obtain and direct free training when money is tight and find ways to reward employees who continue to push the business forward in tough times.
Both of which are easily measured during the annual security assessment and can be slotted in to both ISO and NIST. (ISO 27001.A.6.1.1 and NIST ID.AM-6) It is an abstraction, so can go in a couple places, but governance of personnel resources seems appropriate.
It is easily quantifiable, in all the points mentioned: training provided, training sought, new certifications, training budget, percent consumption, and other ways.
But most important for our purposes, it lets us get a feel for how the organization is responding to the ever-changing field of information, security, and technology. This in turn lets us bubble up the metric to the competitive advantage calculation. If numbers are not right or declining, we have clear indication that something is awry. If personnel are being offered training opportunities, and not taking them, that is an indicator.
But why is this important to information security? Because workers who are not provided opportunities or who are not taking advantage of opportunities tend to have lower morale. On an individual basis, this can indicate an employee with a personal problem that warrants closer inspection and possibly intervention, which a good supervisor should notice. On a broader basis, it can indicate a more pervasive problem, and this should percolate up through the management chain and be a clear indicator of underlying problems at any level in the chain of command.
In related metrics, the HR turnover counts can be matched up with these to provide additional insight into where the problem may lie, if something in the chain of command is interfering with a determination. When in doubt, move people around in a classic troubleshooting move to see if the problem follows someone in particular.
So how else can we indirectly observe morale?
Indicator 2: Public Speaking and Publication
A narrower metric, but one which is still exceedingly useful in determining morale and business focus, is public speaking and publications.
What we mean by this is how often personnel go present at professional events, big or small, and how often they blog/publish articles either directly in cooperation with Marketing or on their own.
This one has more variability than training, in that opportunity and relevance come into play, but there is no limiting factor on independent effort, so we as managers want to encourage personnel to publish and present, not least of which, because it polishes communications and critical thinking skills. It is, in addition to all the other benefits, a way to groom personnel for promotion and broaden their network, both of which are management interests.
A willingness to present & publish (P&P) is likely indicative of a relatively benign morale. A reluctance may be individual or it may be low morale. A willingness can also mask a bad morale, in that personnel are using it to find satisfaction, and possibly look for work. Again, working with HR and matching up turnover can help determine which one, if it isn't clear.
What we as business leaders want to do, is encourage P&P because it is good for the business and good for the person. We want to observe the P&P as managers, because it tells us how our people are doing. If a direct report is doing P&P outside of their area, or not in line with business, it may indicate a disconnect or an opportunity for growth. Tread carefully.
How does this affect risk?
Both of these indicators tell us about the state of being of the line employees and management. People who aren't aware of these things or doing them badly are likely missing other key elements of risk management and security. As any auditor knows, it is technically possible to pass an audit like ISO or PCI-DSS yet still have ruinous practices.
And from the business perspective, a strict audit review misses the abstract issues that directly impact the success of the security framework in question. We want to have that holistic view into the processes. If the strict elements are being dealt with, but the personnel and management issues are lax, we will have security incidents, and they will be more likely to come as a result of insider activity or negligence.
Preventing insider threats and mistakes requires a big serving of internal awareness and personnel management practices are generally not something security auditors dig into. But they should. These mistakes can be the most costly.
Steps to Take
Build these metrics into your ongoing efforts. Use your recurring security training as a vehicle for collecting some data. Implement a presentation and publication practice as part of the annual employee performance review. And make sure your risk management practices, including your annual reviews, looks at the underlying support mechanisms for the simple mechanistic security practices. If people aren't proactive and motivated, not merely "content", your security program will suffer as a result.
And that is a competitive advantage that means your company will handle threats better and be more successful in the market.