In the world of the security professional, our work languishes amidst the ambiguity of the unknown -- though we clearly recognize the uncertainty associated with information systems, we are challenged to determine where along the risk spectrum that uncertainty resides. We rely on anecdotal evidence from known incidents. And again, human biases intervene as behavioral economists demonstrate that emotional attachment (affect heuristic) and personal experiences and anecdotes (availability heuristic) conspire to create overreaction.
When all of these concerns gel, some collective creates the tenuous notion of "best practices" which vary widely depending on the circumstances under which the phrase is uttered. A second wave of best practices, fueled by the never-ending availability of incidents and self-reinforced, degenerates into regulations around controls with no true empirical evidence that they work. And slowly the actual threat of exploits, compromises, and incidents bearing losses devolves into something approximating the lack of achieving some status of control that may or may not contribute to a reduction in risk.
That leaves us in a situation where fear, uncertainty, and doubt are not only the progenitors of our IT situation, but also drive our own not-quite-arbitrary techniques and actions. That is, even our FUD is supported by FUD.
The good news is that we've turned the corner. The truth of the matter is that there is a new generation of security professional that understands risk and understands business needs. These security professionals are questioning long-held beliefs about controls and seeking out evidence that supports or refutes the strength of the security posture.
That T-shirt that reads "just because I'm paranoid, doesn't mean they aren't out to get me" is funny because it is true; our fears could certainly be warranted. That said, we can't be afraid of our shadow when factoring in threat scalability. The real is objective information that the business decision maker(s) can understand and take seriously. After all, we aren't really risk managers if we always recommend every control we can think of. The true risk manager earns their wings on the day they propose to accept some risk (i.e. requires no mitigating action).
Objective information must come in the form of quantitative measures, if only to ensure precision, though not necessarily accuracy, for any/all participants. That said, there will still be a lot of assumptions and outright guesses involved that must be reviewed. Indeed, the first few months of a metrics program involve more questions than answers.
Metrics provide the way to show historical information for trending and benchmarking. They act as the objective inputs that act as starting points for future consideration, including predictions about risk and appropriate courses of action. They are not perfect by any means, but they are better than any subjective, qualitative approach if only to bring an empirical perspective to risk decisions.
About the author:
Pete Lindstrom is Research Director for Spire Security, an industry analyst firm focused on information security issues and market research.