Security Metrics crying need is for metrics that serve others, outside of infosec.
In Infosec, we think of the biggest influencers as the people who give talks at conferences, I disagree. Here is my list of the top five influencers on your security, these are the people who will impact security, positively and/or negatively
- The Person Coding Your App
- Your DBA
- Your Testers
- Your Ops team
- You
With the possible exception of #5, none of them work in security. This is alarming because, the security industry markets almost exclusively to security teams. Yet with very few exceptions every security decision is made outside of the Information Security team. Decisions that shape our security are made by developers, admins, architects, "the business", DBAs, customers, users, and on and on. Infosec is one very small department, yet our metrics, "breach reports" and the like are tailored to this tiny rounding error of a department (and, of course, the people who fund them).
A good way to get better, more useful security metrics is to focus on the crying need of security metrics that help other parts of the organization. FInd ways to get useful information into other team's hands, help them make and run better software.
I would actually go with:
5) Users
6) You
Posted by: David Mortman | October 16, 2013 at 10:10 AM
@mortman - nice addition
Posted by: gunnar | October 16, 2013 at 10:18 AM
I'd say this is dead on. In my company I would put the ops team in number one. In most companies isn't it the business that determines what the DBAs are administering and what the developers are developing?
Posted by: Mel Drews | October 22, 2013 at 06:40 PM
Is this saying "you're doing it wrong"? Should security be a separate silo or integrated?
Posted by: LukeDonoho | October 28, 2013 at 08:40 PM