Josh Corman had an awesome post over on Fudsec on Friday. It’s so awesomely appropriate to this blog, that I’m sharing it with you. My only complaint is that I wish that I had written instead. Go read it right now.
Search
Archives
What You’ve Said
- Steve Dotson on How to Value Digital Assets (Web Sites, etc.)
- Chris Blunt (Axenic) on Everybody Should Be Doing Something about InfoSec Research
- Rob Lewis on Everybody Should Be Doing Something about InfoSec Research
- Russell on Everybody Should Be Doing Something about InfoSec Research
- Rob Lewis on Everybody complains about lack of information security research, but nobody does anything about it
Tag Cloud
Add new tag
arms race
Bejtlich
breach reports
Cloud
confused
controls
cyber security
data
Data Analysis
data breach cost
data presentation
data visualization
DHS
game changers
incident metrics
ineffective
information theory
Legislation
Links
metrics
Mortman/Hutton
national cyber leap year
NCLY
network visualization
PCI
public-private collaboration
R&D
random stuff
research
Rich Mogull
risk
risk management
risk modeling
risk science
SANS
Science of Risk Management
security management
Security Models
sleep
statistics
survey
top risks
visualization
vulnerability
Great post, Josh, and very good discussion from wgragido, ean, and gorrie.
Regarding what InfoSec people and CISOs should do differently to evolve/change/adapt more effectively, we could start by including some “meta-metrics” for organization learning, agility, etc.
I gave a presentation at Metricon a few years ago on this topic: “”Security Meta Metrics – Measuring Agility, Learning, and Unintended Consequences” http://meritology.com/resources/Security%20Meta%20Metrics.ppt . It includes some specific ideas for such metrics, but really almost any metric will be better than the willful ignorance that most security organizations have today about continuous learning.