Security can be measured
Security vendors have long been criticized for making grandiose claims about the efficacy of their wares. They have taken to presenting return on investment (ROI) arguments to justify the sales of their gear. In his article Security ROI: Fact or Fiction?, Bruce Schneier makes this point and further argues, quite effectively, that calculating a specific product or solution's potential ROI "is mostly bunk in practice."
I thoroughly agree. Further, I have seen vendors make a fast U-turn when a customer asks for a "guarantee" or "warranty" on the performance of the specific product in question. In my mind, any sort of ROI should be associated with a performance assurance. Or, one could equally ask the vendor, "OK, I see your ROI assumptions. Now, since you won't give me a written warranty, how much should I discount the value of your ROI proposition?" The two cannot be separated.
Bruce also makes well-reasoned cases for the use of ALE, or Annualized Loss Expectancy, a risk view of security budgeting.
My only fear is that readers might, as I did at first, come to the conclusion that security is not measurable. Far from it -- there are many additional specific data points that can contribute to the evaluation of risk and security. Some of them are indeed even derivable directly from a wide range of security products and integrated solutions.
First, I don't believe security professionals should get dragged into the endless and futile debate over the value of information. That is not our job. The value of information should be determined at the highest levels of the organization. As Bruce says, in the event of a security incident, many of those values are intangible -- customer reactions, market perception, cost to re-brand along with the more traditional event mitigation and direct consequential costs.
But we can help. A few basic concepts should help understand that some aspects of security are measurable--and meaningful--if we find a common metric. Without getting into all of the math and formulas, that metric is time. From a risk and security standpoint, time is a common theme where we can bridge other information. A few mantras:
-- A security event should be detected rapidly.
-- A detected security event should trigger an alert as quickly as possible.
-- The cyber-first-responder should react to the alarm in as close to zero-time as required by policy and the detected and evaluated severity of the threat.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
security
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
