Hoaxes, myths,
urban legends




About us


Truth about computer security hysteria
Truth About Computer Security Hysteria

Rob Rosenberger

Goals for computer security, part 2

Rob Rosenberger, Vmyths co-founder
Saturday, 19 March 2005

I'VE RAILED FOR years on the need for data, metrics, and goals in the computer security industry. Way back in 1999, I lamented "we'll never truly know what happened in the last thirteen years of virus attacks" because computer security personnel never bothered to archive — let alone review! — their log files.

Infor­ma­tion secu­rity mana­gers need "a well-defined, stan­dards-based threat model that can be bench­marked against the best players in your in­dus­try, just like com­panies bench­mark earnings per share."

Computerworld ran a guest opinion last week titled "how to justify information security spending." In reality it's a call for metrics & goals. Which is what I've been saying for years.

"Most companies don't run their information security operation like a business unit with a tightly focused strategy on customers, market and competitors," Danny Lieberman noted. "It needs to operate continuously and proactively within a well-defined, standards-based threat model that can be benchmarked against the best players in your industry, just like companies benchmark earnings per share." Regular readers will recall I filed a unique tirade on the need for benchmarks.

Lieberman asked Computerworld readers to ponder seven questions. #2: "Are Gartner white papers a key input for purchasing decisions?" I made my point years ago with a parody of a Gartner white paper. #3: "Does the information security group work without security win/loss scores?" I confronted virus fighters in 1999 when I asked "how do you justify your job?"

"If you answered yes to four of the seven questions," Lieberman concludes, "then you definitely need a business strategy with operational metrics for your information security operation." Which is what I've been saying for years.

Click here for Lieberman's piece. It's well worth the read.