4. Measure everything
Use metrics to ensure compliance with control objectives. The audiences for such metrics and the purposes those metrics serve can vary, so it's important to ensure that all aspects of an IT security program are measured.
A metrics program that is focused purely on operational data -- such as firewall log data or antivirus data -- offers no navigational or management metrics, says ISACA's Brotby.
"If I don't have good policy compliance, is it because people don't know how to do it or because they are ignoring my policy?" he says.
To understand such issues, GM has established a four-tiered metrics framework to collect and analyze performance data on multiple aspects of the company's information security program.
The right metrics can help businesses track, trend and report on security performance, says Ed Cooper, vice president of marketing at Skybox Security, a vendor whose risk-modeling products are used by organizations such as Standard Chartered Bank. The trick is to know which metrics make sense for each stakeholder, how to gather the information and what language to present it in, he says.
"Everybody looks at risk from their own point of view. Metrics have to be put into some sort of relevancy" for each perspective, Cooper says.
5. Monitor all controls
Implementing controls for dealing with security threats is one thing. Testing, monitoring and validating them is another. "If you have key controls on critical processes, you need continual monitoring to make sure they are working," Brotby says.
This sort of monitoring can be part of a broader IT governance program or compliance and auditing effort.
Often, many of the controls that companies are using to manage risk were originally implemented in response to some tactical issue. Many companies, for instance, have implemented network behavior analysis tools in response to concerns over so-called zero-day threats that take advantage of unpatched software vulnerabilities.
It's important to tie controls back to a specific business risk and then monitor them to ensure that they are indeed doing what they were intended to do.
"The problem with controls is that they are put in place reactively to a particular problem, and then they pile up, so you get layers of controls that people don't know are controls," Brotby says.
To a large extent, governance is what you are doing when you gather metrics to prove compliance with an internally or externally driven security requirement, Meakin says.
"Compliance means showing these are the risks and these are the controls, and, yes, I have mapped those controls to the regulatory requirement," he says. "The fact I am measuring is a demonstration of proper governance."
Taking such steps will be challenging for large companies where the security environment has grown in response to tactical considerations as opposed to strategic ones.
To understand how secure you need to be in that kind of environment, start by looking at your industry or regulatory compliance objectives, Othersen says.
But whatever your environment, get started. A better answer to the big security question is within reach.