Information Security Management

The Security Function: Building Measurable, Effective, and Strategic Protection

Julio Huerta

Julio Huerta

3 min read

In today’s interconnected business environment, information security is no longer a peripheral concern—it is a strategic function essential to protecting assets, maintaining trust, and enabling growth. A mature security program aligns with business objectives through strong governance, measurable outcomes, and ongoing improvement (ISACA, 2018).

The Role of Security Governance

Security governance provides the framework that ensures information security supports and advances business goals. It defines accountability, oversight, and decision-making structures, ensuring security is not just reactive but also strategic (NIST, 2018). Effective governance aligns security initiatives with the organization’s risk appetite, compliance requirements, and operational realities.

Governance guides how policies are developed, how responsibilities are assigned, and how performance is measured. Without governance, security efforts become fragmented, reactive, and misaligned with organizational objectives (ISO/IEC 27014:2020).

Security Policies as the Foundation

A comprehensive security policy is the cornerstone of security governance. It defines the organization’s principles, expectations, and minimum standards for protecting information assets (Whitman & Mattord, 2022). Policies guide employee behavior, shape procedures and controls, and serve as benchmarks for compliance and audits.

An effective policy is dynamic—it evolves with changing risks, technologies, and regulations. It turns executive intent into measurable, enforceable, and continuously improvable rules (ISACA, 2018).

The Importance of Measurable Security

Like any business function, security must be quantifiable to demonstrate its value and effectiveness (NIST SP 800-55 Rev. 1, 2008). Measurable security enables leaders to answer key questions such as: Are our controls working as intended? Are we improving over time? Where are the gaps that require investment?

Without metrics, security remains intangible and subjective. Measurable outcomes shift security from being a cost center to a performance-driven enabler of resilience and trust (ISACA, 2020).

Benefits of Measurable Security

Implementing measurable security delivers several strategic benefits: transparency through visibility into the security posture, accountability through quantifiable goals, resource optimization via data-driven prioritization, and continuous improvement through trend analysis (Whitman & Mattord, 2022). In essence, measurable security transforms abstract risk management into actionable intelligence (NIST SP 800-55 Rev. 1, 2008).

Evaluating Security Metrics

Effective security metrics should be relevant, accurate, and actionable. They are typically grouped into operational metrics (e.g., vulnerabilities remediated, patching times, incident response durations), compliance metrics (e.g., audit findings resolved, policy adherence rates), and risk metrics (e.g., reduction in high-risk exposures, business impact assessments).

Metrics must also be contextualized—numbers alone do not tell the whole story unless interpreted in the context of business objectives and risk tolerance (ISACA, 2018).

Assessing Completeness and Effectiveness

A mature security program should be evaluated for both completeness and effectiveness. Completeness ensures all key domains—governance, access control, incident response, physical security, and others—are addressed. Effectiveness assesses how well these controls reduce or mitigate risk (ISO/IEC 27004:2016).

Both aspects should be reviewed regularly through audits, assessments, and benchmarking against standards such as ISO/IEC 27001 and COBIT 2019 (ISACA, 2019).

Tracking and Reviewing Security Metrics

Tracking metrics is an ongoing process that turns static data into actionable insights. Security teams should develop dashboards for real-time visibility, set reporting cycles that align with business planning, define thresholds and alerts for unacceptable deviations in risk, and conduct trend analyses to evaluate performance over time (NIST, 2018).

Regular review meetings with business leaders help ensure that security remains aligned with enterprise priorities and risk appetite (ISACA, 2020).

Developing and Implementing Security Strategies

A well-defined information security strategy turns governance and metrics into action. It outlines the roadmap for achieving maturity across technology, processes, and people.

Key steps include assessing current capabilities and gaps, prioritizing initiatives that align with business goals and risk priorities, implementing technical and administrative controls, measuring progress through metrics, and adapting as threats evolve (Whitman & Mattord, 2022; ISACA, 2020).

Strategic implementation ensures that security is not a one-time compliance exercise but a continuous process of risk management and business enablement (ISO/IEC 27014:2020).

Conclusion

The security function within a business must evolve from a reactive defense mechanism to a proactive, measurable, and strategically governed discipline. Through strong governance, clear policies, meaningful metrics, and ongoing assessment, organizations can build a security posture that is both complete and adequate—protecting assets while enabling innovation and trust (NIST, 2018; ISO/IEC 27014:2020).

References

  1. ISACA. (2018). COBIT 2019 Framework: Introduction and Methodology. ISACA Publishing.
  2. ISACA. (2019). COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution.
  3. ISACA. (2020). Measuring and Managing Information Security Risk: Metrics and Methods.
  4. ISO/IEC. (2016). ISO/IEC 27004:2016 – Information security management — Monitoring, measurement, analysis, and evaluation.
  5. ISO/IEC. (2020). ISO/IEC 27014:2020 – Governance of information security.
  6. NIST. (2008). SP 800-55 Revision 1: Performance Measurement Guide for Information Security.
  7. NIST. (2018). Framework for Improving Critical Infrastructure Cybersecurity (Version 1.1).
  8. Whitman, M. E., & Mattord, H. J. (2022). Principles of Information Security (7th ed.). Cengage Learning.

Read more

Security Management Planning as a Governance and Compliance Instrument

Introduction Security management planning is a critical organizational process that enables the structured creation, implementation, and enforcement of an information security policy. While often treated as a technical or operational concern, security management planning performs a broader governance function by establishing how organizations protect information assets, physical facilities, personnel, and

By Julio Huerta