While it may not be a question of when but more one of why, information security is heading down a path that needs metrics to thrive. An interesting question when you consider that, the timeline for information security as a discipline is quite short; the young age of our industry translates into immature practices that are often reactive rather than proactive. It’s easy to think of Information Security as a child struggling to deal with the reality of an adult world. In this case the adults are sophisticated and determined “bad actors” who are pervasive and dogged in their approach.
To combat these forces many organizations are heavily vested in process, staff and technology that promise to reduce risk and decrease the likelihood of a data breach. While process and technology are readily available, there is a distinct shortage in skilled and capable individuals who can truly leverage these resources. So, we wait patiently as colleges, technical schools, and professional organizations struggle to fill the talent void created by excess demand. No doubt the supply will eventually catch up with demand…but when?
Look at the historical growth and optimization of any industry and it ultimately comes down to leveraging available resources and tracking improvements. In a world of limited human resources utilizing those that are available in the areas that will provide the most improvement seems like the obvious answer. But in the world of information security there is one variable that is notably missing from the equation…the ability to track and evaluate performance. More than a century ago, Lord Kelvin (noted for the Kelvin scale of temperature measurement) made a simple yet definitive statement:
Despite these words of wisdom and lessons learned in industries like manufacturing…Information Security continues to struggle with metrics and often resorts to “hope” as a strategy for reducing risk. Available frameworks like NIST and ISO provide best practice controls that result in qualitative data; but the subjective nature of the statistics makes it difficult to definitively measure results and track improvements over time.
At the boardroom level executives face increasing demands for funding to address security resource shortfalls (people and technology). Despite the strong desire for quantitative data to drive investment decisions, a general lack of performance data results in decisions once again founded on “hope”. This approach has a limited lifespan and will eventually force our industry to embrace metrics to justify resource demands.
It all starts with evaluating when and how information security resources are being used. By identifying quantitative performance metrics and collecting them on a recurring basis, organizations build the historical data that is critical to evaluating trends and identifying areas that need attention. With increasing demand for accountability and a market with limited resources the forces of economics will eventually drive change.