Strategic CIO // IT Strategy
Commentary
1/8/2014
09:36 AM
Jeff Lowder
Jeff Lowder
Commentary
Connect Directly
RSS
E-Mail

Is Your Security Program Effective? 7 Must-Ask Questions

Business leaders can, and should, insist on metrics to prove protection efforts are worth the money.

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
jlowder
100%
0%
jlowder,
User Rank: Apprentice
1/9/2014 | 6:14:53 PM
Re: Calibrate: Specialty based?
Xylogx -- How should an organization decide which information security controls to invest in and how much to invest? It seems to me that decision analysis, including information risk analysis and game theory, is the best option we have. As you point out, even the best risk management practices may fail to predict a "black swan" event. But, again, what is the alternative decision making method? The two words, "Black swan," don't help us answer that question. What those words do is this: they remind us that our methods for dealing with uncertainty are imperfect.

We still have to make decisions, including decisions about where to invest limited budget for information security programs. Risk analysis, imperfect as it may be, can help us to make better decisions than we would have made otherwise.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
1/8/2014 | 3:51:34 PM
Re: Calibrate: Specialty based?
If you can afford to protect against a black swan scenario, I want to get to know you!
Xylogx
50%
50%
Xylogx,
User Rank: Apprentice
1/8/2014 | 3:45:22 PM
Re: Calibrate: Specialty based?
Two words: Black Swan
jlowder
50%
50%
jlowder,
User Rank: Apprentice
1/8/2014 | 3:39:50 PM
Re: Security Metrics
Hi Laurianne -- Thanks! The only metric that comes to mind is the Common Vulnerability Scoring System (CVSS) score. I'm a big fan of CVSS and want it to be successful, but the way it's implemented violates basic statistics by committing what's known as the base rate fallacy. In short, CVSS focuses on what we know about a sample (say, a vulnerability in a specific version of Apache) while completely ignoring what we know about the larger population (in this case, Apache software in general). The obvious way to fix CVSS, of course, is to factor base rates into the formula.
jlowder
50%
50%
jlowder,
User Rank: Apprentice
1/8/2014 | 3:33:56 PM
Re: Calibrate: Specialty based?
Hi Lorna -- The concept of calibration is very general -- it's not specific to security at all. You can use calibration training to improve estimates of any uncertain quantity. For a great overview, check out Doug Hubbard's book, How to Measure Anything.
Laurianne
50%
50%
Laurianne,
User Rank: Author
1/8/2014 | 1:51:41 PM
Security Metrics
Jeff, thanks for sharing this detailed advice. Do you have any thoughts to share with readers on security ROI metrics that aren't working any more, that have outlived their usefulness? Thanks
Lorna Garey
100%
0%
Lorna Garey,
User Rank: Author
1/8/2014 | 11:07:13 AM
Calibrate: Specialty based?
I'm intrigued by the concept of calibration training as a way to make people cognizant of their biases. Is this training based on specialty, such as security, or is it more general?
Transformative CIOs Organize for Success
Transformative CIOs Organize for Success
Trying to meet today’s business technology needs with yesterday’s IT organizational structure is like driving a Model T at the Indy 500. Time for a reset.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.