logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

2008 DOI: Day 1 - Express Your Inner Bean Counter

By Mike Rothman
Created 2008-02-12 17:30
2007 Incite: Get with the Program
As security professionals continue to struggle with the number of threats and contradictory goals (protect information, but assist business), they increasingly turn to structured security programs (ISO 27001, COBIT, Pragmatic CSO) to assist in getting things done and communicating progress. Security management tools (predominately SIEM) continue to leave customers wanting for value and assistance in automating programmatic operations.

2008 Incite: Express Your Inner Bean Counter
Substantiating the value of security continues to plague practitioners, who still can’t specifically answer the question: “Are we secure?” Structured security programs (ISO 27001/2, COBIT, Pragmatic CSO) help align programmatic activities, and look for significant advances in the area of security metrics – where the industry begins to gain consensus about what can and should be tracked.


Big AbacusAs you can see from above, the Incite on security programs is slightly evolved from 2007. So what’s changed? First of all, the state of security programs is still nascent. CSOs still have a problem substantiating value. They can’t control their to-do list. They can't keep their customers happy. The attackers never take days off, they don't sleep. If anything, life has gotten even harder for security professionals, though it’s certainly hard to envision that happening.

My continued focus on security programs continues to be self-serving. Although the feedback I've gotten from folks that are using the Pragmatic CSO in practice has been outstanding. But I'm not religious, use whatever you want. Just use something. Put some structure into your operations. Have a plan that is business relevant. Be able to substantiate what you do and why, for both internal (senior management) and external (auditors) parties.

Ultimately, you need to be able to crisply answer the question: “Are we secure?” Increasingly, you are seeing the bean counters asking tougher and tougher questions about why funding for security must be maintained and what return they’ve gotten from the years past, where the security team has spent money like drunken sailors. And the idea that you haven’t had a breach (if you are lucky) isn’t really good enough.

What's new this year is a specific focus on metrics because I think that’s really the sticking point. Andy Jaquith’s seminal work (Security Metrics: Replacing Fear, Uncertainty, and Doubt [1]) hit in April of last year. It’s great stuff and really lays out the problem in more depth than anyone has thus far. You’ve got to walk before you run and Andy’s book has made us all toddlers. Now we need to take it to the next step, so to speak.

The industry is still bickering about what makes sense to track and what is going to resonate with the powers that be. Remember, the powers that be want to know how this is impacting the BUSINESS. Not how cool the technology is. They don’t care that 99% of the applicable servers are patched by 11 AM on Exploit Wednesday (the day after Patch Tuesday). They just don’t care.

So we’ve got to make more progress on coming to consensus relative to what is important to track. The good news is that I do think we’ll be making progress on these fronts in 2008. We need to start establishing some “benchmarks” of what good security performance looks like. You may suck or you may be great. How do you know? Until we can answer that question, we’ll be in our own little version of Groundhog Day.

Big abacus image uploaded by: cowsmanaut [2]

Source URL:
http://securityincite.com/blog/mike-rothman/2008-doi-day-1-express-your-inner-bean-counter

Links:
[1] http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/0321349989
[2] http://www.flickr.com/photos/15368291@N00/211070739/