Enterprise Security organizations often find themselves caught between the ever-changing needs of the agile business, and the ever-present, ever-evolving threats to that business. At the same time – all too often we security professionals get caught up in “shiny object syndrome” which leads us to spend poorly, allocate resources unwisely, and generally de-couple from the organization we’re chartered to defend. Knowing how to defend begins with knowing what you’ll be defending, why it is worth defending, and who you’ll be defending from… and therein lies the trick. This blog takes the issue of enterprise security head-on, challenging outdated thinking and bringing a pragmatic, business-aligned, beyond the tools perspective … so follow the Wh1t3 Rabbit and remember that tools alone don’t solve problems, strategic thinkers are the key.
Rafal (Principal, Strategic Security Services)
Mark Twain popularized the phrase: "There are 3 kinds of lies: lies, damned lies, and statistics"... well I think we can add a 4th to that affectionately known as "security metrics". If you've ever reported security metrics, you likely know exactly what I'm talking about... here's a little insight.
What is the difference between a metric and a KPI?
If you're still reporting metrics to your management, you're probably wasting a lot of time, and accomplishing very little. I know this from experience. It's time to get Information Security some respectability and get off that hamster wheel - KPIs are your way off.
Hi everyone, today I'm happy to announce that my technical whitepaper titled "Tracking Performance of Software Security Assurance - 5 Essential KPIs" is available for public distribution!
You can get your copy right here, and feel free to share it, provide feedback in any of the many forums you can find me in, and discuss! I'd love your feedback on how to make the next version better.
While we that lovingly embrace the term security nerd are forever chasing the next cool, sexy, 0day attack vector or breakage - your CISO probably gets more excited about "compensating controls" and things of that nature. If you really want to make a CISO sweat, as them to show you the ROI on their security program!
It's been a very interesting couple of weeks since we officially released my 5 Web App Security KPIs back on October 5th via the SANS ToolTalk webcast. I've noticed that over the last month or so, I've had one of two types of conversations, so I'll sum them up here into a tidy blog post in case you're thinking about pinging me on the subject - or if you haven't heard yet.