lcamtufs blog: In praise of anarchy: metrics are holding you back.
Michal Zalewski presents two risks of a security metrics program – reduced adaptability and agility.
The frameworks for constructing security metrics often promise to advance one’s adaptability and agility, but that’s very seldom true. These attributes depend entirely on having bright, inquisitive security engineers thriving in a healthy corporate culture. A dysfunctional organization, or a security team with no technical insight, will not be saved by a checklist and a set of indicators; while a healthy team is unlikely to truly benefit from having them.
While I am surely no advocating against security metrics. it is worth noting the risks.
Fear, Information Security, and a TED Talk « The New School of Information Security.
TEDMed talk by Thomas Goetz – great talk about making health information understandable to patients in order to motivate them to action. Adam blogged about it because it reinforces his notion that fear does not motivate management to invest in information security.
Thomas suggests a four step feedback loop – Personalized Data, Relevance, Choices, Action.
For health care Thomas shows that the key problem is poor information presentation design. Is the problem the same in information security or is it the lack of relevant information to present?
In information security, people, and especially management, don’t act because they don’t believe that more firewalls, SSL and IDS will protect their cloud services. They don’t believe that because we don’t talk about how well those things actually work. Do companies that have a firewall experience fewer breaches than those with a filtering router? Does Brand X firewall work better than Brand Y? Who knows? And absent knowing, why invest? There’s no evidence of efficacy. Without evidence, there’s no belief in efficacy. Without a belief in efficacy, there’s no investment.
We’re going to need to move away from fear and to evidence of efficacy. Doing so is going to require us all to talk about investments and outcomes. When we do, we’re going to start getting better rapidly.
The Top 10 Security Questions Your CEO Should Ask — CIOUpdate.com.
From PwC, here are the top 10 questions your CEO should be asking you:
- Who is accountable for protecting our critical information?
- How do we define our key security objectives to ensure they remain relevant?
- How do we evaluate the effectiveness of our security program?
- How do we monitor our systems and prevent breaches?
- What is our plan for responding to a security breach?
- How do we train employees to view security as their responsibility?
- How do we take advantage of cloud computing and still protect our information assets?
- Are we spending our money on the right things?
- How can we ensure that we comply with regulatory requirements and industry standards in the most cost-effective, efficient manner?
- How do we meet expectations regarding data privacy?
This article provides a paragraph or two on each one of these questions.