How do security professionals measure their success?

Many people, including many security professionals, see security in binary terms: we are either secure or we are not. This is a ludicrous perspective from all sides.

Security is about understanding, measuring, and managing risk.

To put this in terms of your proposed lens of 'success':

  1. Have we been unsurprised by a threat and the impact that materialised?
  2. Have we been monitoring and calculating the impact of the threats we do know about and the effectiveness of our mitigations compared to the threats and impacts that materialised?
  3. Have we been adjusting our mitigations in response to evolving threats so that when they materialise, the impact is tolerable?

If we can say "yes" to those, then we have been successful.

That's how you measure the success of a security program of an organisation, and that's how you measure your personal success as a security professional.

Chasing the state of "secure" is a silly task, especially considering the reality of 0-days and the fact that the secure operation of an organisation is entirely up to non-security people (and even security people get it wrong sometimes).

The path to success is about risk and resiliency.

Tags:

Career