+61-2-9434-5000
Contact Us

Goals: The security and compliance rudder

Please provide the information below to view the online Verizon Payment Security Report.

Submit View only

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

  • Point 1: The fundamental importance of goals

    CISOs and their security teams are understandably busy. Focusing on the complexity of data security and compliance requires time. The day-to-day operations always appear to be more pressing and given higher priority than taking the time for proper introspection and foresight.

    Figuring out exactly what the right goal is—and creating a navigation chart to get there—can be daunting for those very reasons. Some CISOs erroneously think that devoting the proper amount of time to planning a goal is not a top priority, despite knowing that the goals of a data security and compliance program are far more achievable and effective with a strategy in place. A strategy applies focus and prioritization to obtain carefully chosen, defined goals.

    It’s not the amount of technology, resources or policies that help improve the effectiveness and sustainability of a control environment. It’s the decisions behind the formulation of the goals that make the difference.


    Organizations are investing an unprecedented amount of money to secure sensitive data and meet compliance requirements. Yet, it’s not the amount of technology, resources or policies that help improve effectiveness and sustainability in a control environment. More important is the quality of decisions behind the formulation of the goals—the data and analytics behind the decisions. Those goals are integral to the security business model, security strategy and security operating models (see The Security Management Canvas, page 33). They determine the quality of security governance and how the CISO, steering committee and board of directors can turn the tide.

    • No CISO can hope to truly succeed with data security and compliance without knowing three things:

      • What the ultimate goal is
      • Where they currently stand in relation to that goal
      • The magnitude and direction of the change needed to move from the status quo to where they want to be (the goal)32

  • Do not underestimate the value of effective goal setting.

    Organizations should not be surprised when they struggle to achieve sustainable control effectiveness if it’s not an explicit goal supported by a strategy that directs resources toward prioritized objectives. Too often, PCI security program team members chase off in different directions. All participants and stakeholders should have the same vision of the end point. When program participants work toward different end points, even inadvertently, it often becomes impossible to completely correct the misalignment and pull them all together at the end. All team members should follow the same strategy and navigation points for successful achievement. Even minute differences in interpretation of the success criteria can lead to quite dissimilar outcomes.

  • Point 2: Differentiating goals from objectives

    Goals specify the desired results, outcomes and destinations of the organization’s mission and ambitions into specific, quantifiable terms with measurable results. Your primary security and compliance goal statements should be quantified in advance of strategy implementation. Their achievement (or nonachievement) should be specifically measured throughout the implementation and operation of the tasks and processes along the journey.

    Clear communication of goals helps you conduct day-to-day operations with a sense of purpose and direction. It promotes accountability, as team members can be held responsible for their tasks to the collective team.

     

    "It is more important to know where we are going than to get there quickly. Do not mistake activity for achievement.”33

    —Mabel Newcomer

     

    Organizations should not be surprised when they struggle to achieve sustainable control effectiveness if it’s not an explicit goal supported by a strategy that directs resources toward prioritized objectives.

     

    Good communication lays a foundation for collaborative work toward proclaimed goals. Setting clear goals for PCI security compliance can affect individual performance by:

    • Directing action and effort toward goal-related activities and away from unrelated activities, which is greatly needed to deal with the changes PCI DSS v4.0 will introduce
    • Energizing employees, leading to higher employee effort
    • Motivating employees to apply existing knowledge to attain a goal, or to acquire knowledge necessary to do so
    • Triggering persistence through frequent reminders of goals—again, employees may exert more effort

  • Can you keep your compliance ship straight?

    The goals of your data security compliance program are like the rudder on a ship. The rudder sets the direction and determines where you go. If you commit to one specifically defined set of goals, or perhaps even a single well-articulated goal, then the rudder stays put. You continue moving forward on course. If you flip-flop between vague or conflicting goals, the rudder moves all around, and it becomes easy to find yourself going in circles (or getting stuck in the Suez Canal).

    However, other parts of the ship are just as important as the rudder; for example, the engine and the hull. If the rudder is your goal, then the engine is your process for achieving it. While the rudder determines your direction, it’s the power and speed of the engine and the captain’s skill in steering the ship to navigate the environment (river, canal, ocean and weather) that determine progress.

  • Goals: A goal is an end result you want to achieve with your data security and compliance strategy and program. It’s typically a general and overarching idea expressed clearly, concisely and descriptively. Goals for your organization should be aligned with your organization vision, mission and ideals. They are both long-term and time-sensitive indicators of what should be accomplished and where your organization expects to be in the future. Goals are normally singular and expressed as a single sentence or short paragraph articulating the desired outcome, the anticipated date it is to be achieved and the resources required.

    Objectives: While goals are usually broad, objectives are much more specific, clear and actionable. Objectives are smaller, specific targets within the general goal. They articulate how a goal is attained, with specific actions and steps to take to achieve a goal. Objectives are time-bound and have more immediate deadlines than goals. Objectives include measurable performance factors, challenging but approachable deadlines, and clearly stated costs and quantities.

  • Goals express a wide-range vision. Objectives focus on the individual, achievable outcomes with concrete deliverables. Progress toward objectives helps measure advancement to reaching the larger end goal.


    When outlining a security plan, understanding the difference between goals and objectives is important. A goal describes a broad, over arching destination: “We want to improve the robustness of all cardholder data system components in two years.” Or a goal to improve the resiliency of PCI DSS compliance: “We want the ability to detect all controls that fall out of place, prior to the PCI DSS compliance validation assessment.”

    A goal does not define how to achieve these objectives; it does not describe a strategy to get there or offer the specific tasks necessary to achieve the strategy. It simply specifies a target destination to work toward. Security and compliance objectives are specific, measurable activities you need to engage in to attain broader security and compliance goals. For example: “To achieve the goal of maintaining sustainable control effectiveness of the payment card data environment, we will review, report and improve the capacity of the compliance team to support the program every two months.” Or, “All PCI DSS controls that are found not in place during internal compliance validation assessments will be corrected within 30 days.”

    The objectives focus on particular deliverables that can be divided into a series of moves, including groundwork, analyses and creating the capacity that enables security and compliance teams (across all 4 Lines of Assurance; see page 44 in the 2020 PSR)34 to support the objectives. On the security field, goals and objectives are a lot harder to achieve without mapping out a strategy.

  • Strategy: The navigation plan for successful goals and objectives

    Strategy is the central plan that connects objectives with goals. The CISO and team should strive to create a security business model, strategy, and supporting security operating model and frameworks that are integrated and embodied into the security and compliance program, to help move toward an overarching set of organization-wide goals.

    In our example above, to achieve the goal of reducing the number of PCI DSS controls that are not in place during compliance validation assessments by 50% within six months, the security and compliance team should adopt a strategy and define the specific sets of actions (objectives) necessary to realize the strategy that will propel them toward the goal. “We will increase the number of control environment reviews conducted internally to measure and report the performance of controls across the compliance environment.”

    A goal is supported by a clear strategy that is broken down into objectives and tactics for measuring progress. This high-level strategy statement is part of a simplified plan that is then refined to be specific about the resources, priorities and focus needed to accomplish the objectives and goal. A strategy statement frames the major actions but stops short of describing specifically how those actions will be implemented.

  • The challenge of customizing goals and objectives

    In many security organizations, the performance appraisal and planning process involves identifying goals and objectives for an upcoming time frame. However, people often don’t know the difference between a goal and an objective and conflate the terms. A helpful approach is to break down the goals and objectives into steps and stages. For example, define one to three statements that describe a destination for each individual in your security and compliance team, and for each additional key stakeholder that can impact the security of payment card data. These are your individual goals, at a team level. Each goal statement should be supported with a description of the high-level approach needed to achieve it.

    Envision the goal as a final destination at the end of the field, and the objective as the various plays, maneuvers and actions needed to reach that goal. Resist the temptation to confuse the goal with the objectives needed to reach that post and, more importantly, instruct your team on the difference. 

  • “Success is doing a thousand little things the right way … over and over again.”35

    —Charles R. Walgreen, Sr

  • Point 3: The circular journey between goals and strategy

    The value of taking a strategic approach to data security and compliance was covered throughout the 2020 PSR. Since the release of that report, more organizations are aware of The Security Management Canvas. We also explained what strategy is, its components and how to evaluate the strength of a security strategy.

    When a CISO is asked about their security and compliance strategy, the response is often a list of activities and description of various operational metrics. The list often fails to summarize how they are progressing against the primary goals. When a strategy cannot be articulated clearly and concisely, it’s often an indicator that there probably isn’t an effective, executable strategy in place. This is often a symptom of “strategy development sessions” where participants focus on a narrow set of key performance indicators. No matter how much enthusiasm is at the table, they are likely to emerge with a list like this:

    • Improve information security
    • Optimize the investments in security and compliance
    • Increase security awareness and training
    • Improve security configuration management, etc.

    These are vague statements of intent. While they may contain what might be called goals, objectives or actions, they are not easily attainable. Participants often jump into developing solutions, burrow into the details and quickly lose sight of the actual goal. They lose the birds-eye view and get stuck in fix-it mode.

  • While goals, objectives and clear targets are not a substitute for strategy, they are essential to strategic development.

  • Which comes first, goals or strategy?

    Don’t confuse strategy with goal setting. They are not the same, and it’s important to understand the difference. Set the goal first, then decide how best to reach it through strategy and tactics. Innovation requires a goal to get started. As Stephen Covey said, “Begin with the end in mind.”36

    For security strategy and programs to be viable, stakeholders must agree up front on the goals, objectives and success criteria. This is a necessary condition for project success, not a sufficient condition. Unfortunately, nothing absolutely guarantees success. But without clearly defined goals and carefully chosen tactics that support your goals, you can’t gauge progress and make adjustments to a strategic plan.

     

    Goals are a measure of progress. Goals support the strategy.

    Goal → strategy → tactics

    Properly set data security and compliance goals provide a clear vision for teams and individuals involved in or able to influence the security of the control environment—particularly for the teams within each line of assurance. It’s recommended that people across all 4 Lines of Assurance participate in the development and execution of goals, strategies and tactics. Clear communication of goals helps them conduct day-to-day operations with a sense of ownership, purpose and direction. They invest in the learning, success and failures. 

    The pursuit of goals and execution of strategy is often not linear, but circular. As you progress through the execution of your strategy, it can reveal new—and better—goals.

    “How do the goals of cybersecurity differ from other goals?” is a logical question. More specifically, “What are the goals of cybersecurity?” And “What are the goals of information and data security?” Or even more specifically, “What is the goal of PCI DSS compliance?”

    A very basic response is “to protect payment card data from being compromised by maintaining strict control over the confidentiality, integrity, authenticity, availability and utility of all systems and components that process, transmit or store payment account data and its surrounding environment, in accordance with PCI Standards.”

    While this is true, oversimplifying goals is dangerous. Which is one reason why it’s worth clearly defining your goals to internal and external stakeholders before working on how to achieve them.

    Compliance is one of the components of an organization’s governance (GRC) that is concerned with protecting stakeholder value by managing business risk. Therefore, the objectives and goals of a PCI security compliance program should be to align with the primary goals pursued by the organization’s GRC strategy. It’s widely recognized that the goals of PCI security compliance are not to implement a baseline set of security controls for the purpose of passing a compliance validation assessment.

  • Point 4: Goals specific to PCI security

    Key to this concept are:

    • Security assurance:
      The grounds for and measure of confidence that the security practices, procedures, architecture and features of an information system meet objectives accurately, mediate and enforce the security policy
    • Security assurance levels (SALs):
      Provide a qualitative approach to address goals, their requirements (necessary conditions) and constraints to plan, design, manage and maintain the performance of the security control environment at a specified confidence level
    • Sustainable security control effectiveness:
      An essential organizational capability based on a target level of assurance. This ensures that the control environment and critical components within it have the broader organizational capacity and support to avoid prolonged negative deviation from operating standards and objectives. This requires demonstrable evidence of assurance by measuring, recording and reporting the actual quality of robustness and resilience of all critical components within the control environment. This is essential for early detection and correction of control performance deviations

    As mentioned before, the effectiveness and assurance that a PCI security program offers is directly proportional to the extent it’s integrated into and supported by broader GRC initiatives.

     

    "Effective goal setting requires consideration of the system that surrounds you. Too often, we set the right goals inside the wrong system. If you’re fighting your system each day to make progress, then it’s going to be really hard to make consistent progress. There are all kinds of hidden forces that make our goals easier or harder to achieve. You need to align your environment with your ambitions if you wish to make progress for the long-run.”37

    —James Clear

     

    When poorly designed goals fail

    If a simple formula existed, goal setting would be easy. Designing your goals with the necessary motivation to reach them is hard. However, there are methods and known factors you can adjust to vastly improve your goalsetting skills.

    CISOs, security teams, security professionals and management in general benefit from having and applying a goal-setting standard. A goal-setting standard is a repeatable and harmonized process (an agreedupon norm) for documenting your end goal, and specifying how to achieve it in a detailed, relevant, measurable and time-bound manner. Avoid any process that will result in establishing vague ambitions for your PCI security compliance program, and your overall data security and compliance strategy and efforts. These ambitions (goals) can be hard to define. Clearly defined goal-setting standards are pointless if they don’t actually help you reach your goal. For example, implementing PCI DSS requirements merely for the sake of meeting baseline compliance requirements, without a sincere attempt to establish an effective and sustainable control environment, is nearly useless if it doesn’t actually help you reach that goal. If you take anything away from this report, remember the importance of developing sound goal-setting standards.

    Aligning goals between business and security compliance interests

    Involving stakeholders is essential. Clear goals, objectives and targets should be designed with input from all stakeholder groups. This may, in many cases, be best accomplished one stakeholder group at a time. Once accomplished, you have a significant cornerstone to build a smart security and compliance strategy for each group.

    Collaboration between the CISO and board enables the organization to be in the best position to oversee necessary strategy changes and hold all stakeholders accountable. Accountability should include the effort to make sound decisions for organizational planning and management, and performance measurement of security and compliance. Not surprisingly, many CISOs and boards aren’t prepared to assume this responsibility; in many cases, that’s because they lack an actionable framework that will empower senior executives and board members to become stewards of their organization’s data security and compliance activities. 

    The responsibility for satisfying security and compliance goals rests with the managers of the system, from the chief executive officer down to the front-line supervisor. If you’re a manager, how do you know what the system’s goals are? Frequently, managers directly involved in security and compliance have different ideas than business executives in other parts of the organization. For more information on goals, see “Appendix A: Primer for crafting security and compliance goals,” page 146.

    Next, we review The Security Management Canvas (TSMC)—a management tool and vital component that can be integrated into your goalsetting standard to tie strategy and operations together.