Truth About Computer Security Hysteria
Goals for computer security, part 2Rob Rosenberger, Vmyths co-founder
Saturday, 19 March 2005
I'VE RAILED FOR years on the need for data, metrics, and goals in the computer security industry. Way back in 1999, I lamented "we'll never truly know what happened in the last thirteen years of virus attacks" because computer security personnel never bothered to archive — let alone review! — their log files.
Information security managers need "a well-defined, standards-based threat model that can be benchmarked against the best players in your industry, just like companies benchmark earnings per share."
Computerworld ran a guest opinion last week titled "how to justify information security spending." In reality it's a call for metrics & goals. Which is what I've been saying for years.
"Most companies don't run their information security operation like a business unit with a tightly focused strategy on customers, market and competitors," Danny Lieberman noted. "It needs to operate continuously and proactively within a well-defined, standards-based threat model that can be benchmarked against the best players in your industry, just like companies benchmark earnings per share." Regular readers will recall I filed a unique tirade on the need for benchmarks.
Lieberman asked Computerworld readers to ponder seven questions. #2: "Are Gartner white papers a key input for purchasing decisions?" I made my point years ago with a parody of a Gartner white paper. #3: "Does the information security group work without security win/loss scores?" I confronted virus fighters in 1999 when I asked "how do you justify your job?"
"If you answered yes to four of the seven questions," Lieberman concludes, "then you definitely need a business strategy with operational metrics for your information security operation." Which is what I've been saying for years.
Click here for Lieberman's piece. It's well worth the read.