Measuring Security

For nearly a decade I have been regularly coming back to one of the hardest problems in security, measuring it. There are lots of opinions and no shortage of books full of candidate metrics and there are swathes of consultants prepared to give you a spreadsheet of metrics to go measure and develop a red/amber/green dashboard to understand them. It does seem to require practitioners to dig a bit deeper often to find a good approach to developing metrics and measurements that are actually of value to a particular organisation.

This post captures some of the thinking I’ve distilled from some of the big thinkers in the field. Talking of big thinkers…

“When you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely in your thoughts advanced to the state of science.” —Lord Kelvin, 1824-1907

“It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.” —Sir Arthur Conan Doyle, 1887

“Security is now so essential a concern that we can no longer use adjectives and adverbs but must instead use numbers.” — Dan Geer, 2008

Read the rest of this entry »

The security opportunity in Digital

Four years ago I discussed some of the characteristics of cyber security that made the use of the term useful, this was at a time when the use of cyber security was widely derided by practitioners of IT security and Information Security. One of the common complaints was that Cyber was just the same things we had already been doing re-branded to seem ‘cool’. As time has moved on the practices of cyber have become clearer, the use of threat intelligence, the development of threat hunting, the increased focused on incident response, the wide deployment of behavioural analytics etc. As is the case early adopters knew they were solving new problems in a new way but the articulation of meaning to the later adopters has needed a body of activity and emerging practices to clarify how cyber security overlaps with but also differs from the other predecessor disciplines IT and Information Security (both of which are still going strong and are still necesary).

Another buzzword appeared soon after cyber and that was Digital. Digital is a customer-focused technology-first approach to business that again looked just like what we were doing before in technology and business activities. Over time practices have emerged, agile development, devops, infrastructure automation, cloud, mobile, social etc that have started defining what the early adopters really meant when they said Digital.

Digital lies in the intersection of velocity, scale and complexity.

Read the rest of this entry »

Cyber Resilience: Part Six Recommended Reading


Here are the sources used when developing the thinking behind this blog series:

Read the rest of this entry »

Cyber Resilience: Part Five What next?

Cyber resistance clearly requires leadership and operational intervention from specialised cyber professionals.  However, Cyber Resilience requires a broader institutional response that encompasses all aspects of the business.  As such, it needs to be owned by the entire executive management of an organisation.

The Department encourages all institutions to view cyber security as an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology.” Benjamin Lawsky, Superintendent of Financial Services, New York State Department of Financial Services, December 2014

Read the rest of this entry »

Cyber Resilience: Part Four Companies’ Plans Must Include Both Resistance and Resilience

Resistance to cyber attack is undoubtedly valuable and can produce effective outcomes. However, resistance is expensive and there is a law of diminishing returns on the investments made in resistance, Moreover, because the preparations and mitigations employed in resisting attacks are often specific to particular, point-in-time threats, ongoing resistance is both complex and fragile — unexpected shifts in attacker tactics can bypass existing defences and leave organisations struggling to deploy new controls at an appropriate pace. Faced with the total capabilities of nation-state attackers or state-sponsored cybercriminals, many organisations are unable to deploy effective controls quickly enough or spend enough money to completely mitigate the totality of the threats they face.

“Financial firms should assume they will be subject to destructive attacks and develop capabilities and procedures to resume operations. Financial firms also need to be ready to quickly restore computer networks and technology-enabled operations in response to known or unforeseen threats that could cause catastrophic disruption.” Financial Stability Oversight Council (FSOC) 2015 Annual Report

Read the rest of this entry »

Twitter RSS