Vmyths.com



Hoaxes, myths,
urban legends

Columnists

Newsletter
signup


Addictive
Update
Model

False
Authority
Syndrome


About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

Rob Rosenberger

Goals for computer security, part 2

Rob Rosenberger, Vmyths co-founder
Saturday, 19 March 2005 I'VE RAILED FOR years on the need for data, metrics, and goals in the computer security industry. Way back in 1999, I lamented "we'll never truly know what happened in the last thirteen years of virus attacks" because computer security personnel never bothered to archive — let alone review! — their log files.
Infor­ma­tion secu­rity mana­gers need "a well-defined, stan­dards-based threat model that can be bench­marked against the best players in your in­dus­try, just like com­panies bench­mark earnings per share."
Computerworld ran a guest opinion last week titled "how to justify information security spending." In reality it's a call for metrics & goals. Which is what I've been saying for years. "Most companies don't run their information security operation like a business unit with a tightly focused strategy on customers, market and competitors," Danny Lieberman noted. "It needs to operate continuously and proactively within a well-defined, standards-based threat model that can be benchmarked against the best players in your industry, just like companies benchmark earnings per share." Regular readers will recall I filed a unique tirade on the need for benchmarks. Lieberman asked Computerworld readers to ponder seven questions. #2: "Are Gartner white papers a key input for purchasing decisions?" I made my point years ago with a parody of a Gartner white paper. #3: "Does the information security group work without security win/loss scores?" I confronted virus fighters in 1999 when I asked "how do you justify your job?" "If you answered yes to four of the seven questions," Lieberman concludes, "then you definitely need a business strategy with operational metrics for your information security operation." Which is what I've been saying for years. Click here for Lieberman's piece. It's well worth the read.