Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.
I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.
Fortune Cookie advice for February:
A worthless metric is one which fails to drive decisions, even when the metric result radically changes.
The world of information security is full of metrics. Sadly, many are worthless. A valuable metric is one which drives decisions. Unfortunately, our industry also persists in publishing metrics which may nicely fill graphs and catch attention with flash, but in the end are meaningless. The true test: can it facilitate change.
One of my favorite metrics to pick on is a graphic which shows the percentage of internet attacks by country. Provided every year, this metric presentation is visually stunning, usually consisting of a background of the globe with offending countries in vibrant colors. It is clear, attention grabbing, and even interesting in a sublime way. Media outlets love the eye candy. But at the end of the day, the data is meaningless. It does not really matter where attacks initiate from. Organizations will not change their course of security if the numbers shifted drastically over time. The proximity and country of origin simply does not matter. The number and types of attacks are far more relevant, but not the division of origin based upon international borders.
Whenever we are presented with metrics, we must think critically to understand their value. Don’t get caught up in beautiful graphics or catchy titles. Challenge everything. Would you do something differently in your approach to securing your environment if the data changed radically? If not, then move along, nothing here to see.