Comments on: Measuring Security Professionals Performance http://www.andyitguy.com/blog/?p=791 The voice of reason in a world of FUD Wed, 01 Sep 2010 17:20:42 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: what we’re reading, week of 8/3 « VPN Haus http://www.andyitguy.com/blog/?p=791&cpage=1#comment-6219 what we’re reading, week of 8/3 « VPN Haus Thu, 06 Aug 2009 20:49:06 +0000 http://www.andyitguy.com/blog/?p=791#comment-6219 [...] IT Guy… Measuring Security Professionals Performance Andy ponders the thoughts of analyst Pete Lindstrom’s and the ability to measure security [...] [...] IT Guy… Measuring Security Professionals Performance Andy ponders the thoughts of analyst Pete Lindstrom’s and the ability to measure security [...]

]]> By: Pete http://www.andyitguy.com/blog/?p=791&cpage=1#comment-6214 Pete Thu, 06 Aug 2009 17:56:04 +0000 http://www.andyitguy.com/blog/?p=791#comment-6214 So Allen's comment is an excellent example of my concern. IMO, it is not good enough to simply say it is too hard, or it doesn't work. We have to find a way that works. Sometimes this is simply changing .01% to some notion of, say, six sigma, which is much smaller than that. I am a big believer in measurement, though not to the point of ignoring its weaknesses. Pete So Allen’s comment is an excellent example of my concern. IMO, it is not good enough to simply say it is too hard, or it doesn’t work. We have to find a way that works. Sometimes this is simply changing .01% to some notion of, say, six sigma, which is much smaller than that.

I am a big believer in measurement, though not to the point of ignoring its weaknesses.

Pete

]]> By: Allen Baranov http://www.andyitguy.com/blog/?p=791&cpage=1#comment-6206 Allen Baranov Thu, 06 Aug 2009 10:52:40 +0000 http://www.andyitguy.com/blog/?p=791#comment-6206 The problem with metrics is that they aren't very useful for InfoSec. I'm sorry to say. If you remain 99.99% safe from hackers that sounds good but if that .01% is a hack in which all your customers credit cards goes for a walk and your CEO has to appologise during his year end speech - not good. You patch 100% of critical servers and 99.9% of non-critical servers, but the server that is not patched shares a database with your finance system and allows someone to break into that database and transfer money out.. Your users safely browse 1.3 billion web pages monthly but only one has a CSRF that transfers money into a hackers account. What is the better option? I have no idea.. The problem with metrics is that they aren’t very useful for InfoSec. I’m sorry to say.

If you remain 99.99% safe from hackers that sounds good but if that .01% is a hack in which all your customers credit cards goes for a walk and your CEO has to appologise during his year end speech – not good.

You patch 100% of critical servers and 99.9% of non-critical servers, but the server that is not patched shares a database with your finance system and allows someone to break into that database and transfer money out..

Your users safely browse 1.3 billion web pages monthly but only one has a CSRF that transfers money into a hackers account.

What is the better option? I have no idea..

]]>