One of the most common questions organizations ask me is, “Well—what is our score?” Three things to know about improving your score on an audit:
- First, know what is really important. Do you want to compare your organization’s security and use of best practices to what other organizations are doing? It is easy to be more secure than the norm. Or, do you want to know how your organization can get better and the pros/cons of making changes?
- Second, be sure you know what you want as a result of your audit. Do you really want to grade your IT team and/or increase overall security at your organization? You wouldn’t criticize a heart surgeon who doesn’t know all about orthopedic surgery. Sometimes your IT pros just need a little coaching to tweak the equipment that your organization already has in place.
- Third, knowing what metrics to measure to show IT is making constant improvement after each audit is important. If the score is the only metric used to measure IT, and then just like anyone who is getting a bad score—even in a chess match—IT will be tempted to look for ways to cheat, procrastinate, or even discredit the entire process.
Please post your comments on this blog.