In this video, Kip Boyle discusses how the leadership landscape can relate to a successful information security program. Determine an organization's top leadership opportunities and challenges based on score data.
- [Instructor] Knowing how resilient you are and what your top risks and strengths are is important. But the leader in you wants to use that information to bring about useful change. That's the definition of leadership. That means you need to sell a vision of better future to others, and get them to help you. To do that well, you need to know, where do I Strong Agreement about the scores? That information helps you gauge how much support you'll have to make useful changes in a given area.
You also need to know, where do I have a diversity of opinion about the scores. This information helps you gauge how much persuading in other words, selling, you'll have to do to get people to help you. If you had multiple experts provide scores on the same controls, we can find answers by using a basic statistic called "Standard Deviation." Which is a measure of how far away the data is from the mean or the simple average. A low standard deviation, indicates the data points are close to the mean.
This tells you that your experts gave scores that were highly similar. Which suggests you can expect most people to agree that the mean score is their reality. A high standard deviation indicates the data points are spread out over a wider range of values. This tells you that your experts gave scores that were somewhat or highly different. So, you can expect most people to disagree, that the mean score is their reality.
Let's look at how to calculate the standard deviation. There are several standard deviation functions available in Excel to choose from. Because we've gathered sample scores from an entire population of experts, we'll use this one: Standard Deviation dot "S". To make the calculation you'll need to put in the formula the range of cells that contain all the scores for the same control, like this. In this formula Excel will calculate the standard deviation for all the scores and cells A1 through A9.
Excel will put the answer into whichever cell you entered the formula. Let's look at a few examples of how you can use standard deviation for leadership. Assume we've measured the Awareness and Training activity. This activity focuses on cybersecurity awareness education for your organization's personnel and vendors. To make sure they're adequately trained to perform their information security related duties. For each of the four examples that follow, we have scores from experts representing 23 different work groups across your organization.
In this first example, your actual mean score is four point three eight. That compares with a target score of eight. So your gap is three point six two, which is fairly big. But with the standard deviation a zero point three five, you can expect little argument that there's a problem. However, you'll still need to check to see if the experts will support your ideas for managing the risk. In this next example, your actual mean score is four point one two.
As compared to your target score of seven. That results in a gap of two point eight eight. Which is still rather big, but look at the high standard deviation of two point one one. In this case, your experts gave many different scores so you can expect some disagreement that there is a problem or how big the problem may be. So it may take a good deal of effort on your part to get the experts to focus on your ideas for how to manage the risk. In this third example, your actual mean score is seven point two.
So your experts see you as being in the green zone. Your target score is eight, so you have a very small gap, of zero point eight. And a standard deviation of just zero point six six. So, everyone agrees the score is seven point two. Except in this case, you don't believe that your organization is as well trained as it needs to be, or thinks that it is. As someone who is well educated on information security you have a keen sense for this. However, based on these numbers you can expect a lot of resistance to your suggestion: there is a problem.
You may need to put some serious effort into explaining why you believe there's a problem. In our final example, you have an actual mean score of six point eight against a target score of eight. The gap is a tiny zero point two. But your standard deviation is quite big at two point four seven. Interestingly, some of your experts agree with you, there is a problem. The good news you may be able to get their help to persuade the other experts to your way of thinking.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance