What Success Looks Like
Start course

In this course, we start off by looking at constraints that may prevent us from reaching our security objectives before moving on to how to form an action plan. This involves carrying out a gap analysis to see where you are and where you want to be (with regards to information security, of course) and then putting a plan into place to close the gap.

We then need to implement ways to measure progress towards closing the gap and we will look at that in the metrics and monitoring lecture. Finally, we look at the six strategic outcomes which help us to define what success looks like.

Learning Objectives

  • Understand the potential constraints that may impede our security measures
  • Learn how to create an action plan to reach our security goals
  • Learn how to measure progress through metrics and monitoring
  • Understand how we define success

Intended Audience

This course is intended for anyone preparing for the Certified Information Security Management exam or anyone who is simply interested in improving their knowledge of information security governance.


Before taking this course, we recommend taking the CISM Foundations learning path first.


Now we come to section 33 in our Domain Information Security Governance so that we can determine what success looks like. To make sure that we understand how well we are doing in our program, we're going to need to look at what success looks like. To do that, we have to access six strategic outcomes.

First one is alignment. In looking at this, we're making sure that security does, in fact, line up with the business strategy overall, that the enterprise defines what good security is by how it's produced and what it protects, that security matches the company's DNA, in other words, its culture, its mentality its risk appetite, its risk tolerance, that the money spent on security reflects its importance, meaning that protection is commensurate with the value of the asset being protected.

Second is our program of risk management in which we have to decide whether to act or not. Acting is always driven by potential outcomes and the probability of their occurrence and the value of the asset involved. Sometimes it is better to do little than it is to do a lot, depending upon what you're trying to achieve. And this measures whether or not we're effectively making decisions appropriately and commensurately aligned with the risk. Impacts are lessened to accessible levels.

We look at value delivering, which means our security investments support the business goals. We look at resource optimization, that our security knowledge and infrastructure are used effectively. We look at performance measurement. And this is where our metrics are especially useful to help us measure our resource optimization along with the results of our security program that employs them. And finally, integration, that all the processes work as intended from end to end.

Without doubt, one of the lowest cost, highest return on investments we can make is to training people, making them aware of what is needed from them and what information they need to be able to behave appropriately and responsibly in support of the security management program.

Successful action plans require training and awareness of all the participants. Employees must see the connection between what they do on a daily basis and the standards and policies that govern them. Training should be geared towards various groups and audiences and be clearly understood by them. For example, sales isn't necessarily interested in how to configure a firewall any more than the firewall engineer needs to know how to sell a product or service.

Fundamental to training, of course, is that employees must understand the processes and policies and procedures that will govern how they do their work. It means that they have to understand the ins and outs of the processes that they will use.

To do this, they will also need to understand what the key goal indicators are, what the key performance indicators are, any related key risk indicators and, in particular, what the critical success factors are. So that by using these metrics, they'll know whether the job is going well or not and whether or not they're being successful in their role.

We come to the end of our second section. Let's stop here for a short break, and we'll come back with the next module.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.