Fortune Cookie Security Advice – Relevance of Metrics – Feb 2010

Metrics Show the Relevance of Information Security  

Everyone wants information security to be easy.  Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie?  Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.  The key to fortune cookie advice is ‘common sense’ in the context of security.  It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for February, 2010:

Metrics Show the Relevance of Information Security

Although not easy, metrics show the relevance of information security programs or the lack thereof.  Internal security does not generate revenue, it is a cost center.  The value of such initiatives is derived by the amount of loss they prevent.  Metrics can show this relationship and represent the value.  Sounds simple, but in fact it has been one of the long-standing challenges in the security industry. 

Security metrics are immature.  No pervasive standards exist and organizations continuously struggle to independently show value.  Advances are being made, but we are not at a stable point of comfort and confidence.  More research is needed.  A recent Department of Homeland Security report ranks metrics as #2 of top security research areas.

Some metrics do exist, but organizations are currently faced with an awful decision: meaningful or accurate; pick one.  Vague metrics are possible but lack tangible results which can be compared or quantified.  A flashing red light does not speak to dollars saved, how systems can be improved, or the future outlook.  Nor do simple metrics accurately reflect true causality correlations.  More accurate metrics are very difficult or in many cases impossible to deliver.  The industry has not settled on provable and reliable methodologies which scale with any confidence.  What can be produced with high accuracy typically provides little substance and not much assistance when making complex decisions.  Although specific metrics can provide dollar savings for small environments, they are likely to lack accuracy and can easily be challenged.  Such false predictions may be cause for overall loss of confidence in a security organization.  A risk many groups don’t want to take.  Security metrics still have a long road to travel, though their role is undeniable in showing the relevance of security.

Fortune Cookie Security Advice - Confusing Security Measures and Metrics - September 200p

Fortune Cookie Security Advice - No Royal Road to Security - July 2008

Fortune Cookie Security Advice - Strategic Compettive Secure - June 2009

Fortune Cookie Security Advice - May 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - August 2008

Fortune Cookie Security Advice - September 2008

Fortune Cookie Security Advice - November 2008

Fortune Cookie Security Advice - December 2008

Fortune Cookie Security Advice - January 2009

Fortune Cookie Security Advice - February 2009

Fortune Cookie Security Advice - March 2009

Fortune Cookie Security Advice - April 2009

Fortune Cookie Security Advice - May 2009

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.