Loading ...
As vendors continue to sell us the latest and greatest tools for monitoring hosts, detecting and preventing network intrusions and scouring application code, we now have an abundance of data that was unavailable to us a relatively short time ago. Yet these data often provide no context and presented in their raw form will at best bore management into a stupor but, worse, could reinforce potential perceptions of security as charlatans and soothsayers who construct a web of fear designed to keep ourselves in business while avoiding the prying eyes of bean counters and process re-engineering efforts.
I also believe that if there was a simple answer, we would already know it and since there are lots smarter people than me working in security who still have not solved this problem, there are probably no universally perfect metrics. For better or worse, there is no exchange, like the stock market that would permit trading shares of risk in individual enterprises based on their technology and security investments, sensitivity of data, exposure to the internet and internal processes.
But there are potential models in the securities trading as well as insurance fields that might provide some guidance for building security metrics models. Our challenge is gathering the amount of current and historical data those industries use to build their risk models. Further, we need a reasonably consistent and universal framework for measuring and testing security controls. Some of the regulation like PCI and HIPAA are potentially prescriptive enough to serve as a starting point but they are a far cry from the frameworks that financial auditors use.
