Fortune Cookie Security Advice – February 2009

Everyone wants information security to be easy.  Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie?  Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense

I think the key to fortune cookie advice is ‘common sense’ in the context of security.  It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for February:

A worthless metric is one which fails to drive decisions, even when the metric result radically changes.

The world of information security is full of metrics.  Sadly, many are worthless.  A valuable metric is one which drives decisions.  Unfortunately, our industry also persists in publishing metrics which may nicely fill graphs and catch attention with flash, but in the end are meaningless.  The true test: can it facilitate change.

One of my favorite metrics to pick on is a graphic which shows the percentage of internet attacks by country.  Provided every year, this metric presentation is visually stunning, usually consisting of a background of the globe with offending countries in vibrant colors.  It is clear, attention grabbing, and even interesting in a sublime way.  Media outlets love the eye candy.  But at the end of the day, the data is meaningless.  It does not really matter where attacks initiate from.  Organizations will not change their course of security if the numbers shifted drastically over time.  The proximity and country of origin simply does not matter.  The number and types of attacks are far more relevant, but not the division of origin based upon international borders.

Whenever we are presented with metrics, we must think critically to understand their value.  Don’t get caught up in beautiful graphics or catchy titles.  Challenge everything.  Would you do something differently in your approach to securing your environment if the data changed radically?  If not, then move along, nothing here to see.

Fortune Cookie Security Advice - January 2009

Fortune Cookie Security Advice - December 2008

Fortune Cookie Security Advice - November 2008

Fortune Cookie Security Advice - September 2008

Fortune Cookie Security Advice - August 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - May 2008

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.