« Boutique Wildfire Insurance | Main | HelpJet: Disaster Evacuation in Style »

October 11, 2007



I also subscribe to the theory that the security market, for good or worse, is a market in silver bullets. The underlying reason is that there is an absence of hard objective science to base on, primarily because the attacker doesn't let you get away with dry & dusty theories or statistical models.

Out of that arises a world of best practices on the side of the buyer, a.k.a. outsourcing your security wisdom; on the part of the seller, it is whatever sells and whoever can talk the most complicated blah blah. As security experts never get tested on the results of their work by the market, the only thing that counts is appearance.


Irony: "a literary technique, originally used in Greek tragedy, by which the full significance of a character's words or actions are clear to the audience or reader although unknown to the character."

Irony: using qualitative labels ("real", "hard") to describe confidence (certainty) of data in a statement that expresses a lack of confidence in the use of qualitative labels.


Alex: Linus is a pretty canny fellow; I doubt irony is unknown to him.

Also, I don't see what he wrote as ironic. Schedules have performance metrics. Security does not. Some is greater than none. QED.

Iang: Let's see, complicated blah blah, appearance, and ingratiating with the customer. So IT security is basically politics?



Are you saying:

1.) Security does not have performance metrics?


2.) Security does not have metrics?

3.) Linus understands that the only difference between the metrics he likes and the metrics security can be using is a matter of certainty? If so, then he may be canny, but his patience and temperance leaves something to be desired.


If security has metrics showing how application of security techniques affects the business performance of the companies that purchase it, it's odd that nobody presented them at the recent Metricon, a workshop dedicated to the measurement of security.

Security has various measurements of this and that, such as patches applied, intrusions detected, etc., but what do they mean to the people paying for them? If the CIO goes to the CEO's staff meeting or a board meeting and says "we spent $x and that let us apply Y patches" that's like the VP of Marketing saying "we spent $X and sent out Y press releases." So? How many press stories did those press releases produce, and which of those produced how many sales? And what's the equivalent for security?

OS schedulers tend to be measurable in very concrete terms related to what you can do with the operating system. Show me the security measures about which security techniques keep the OS up, available, and unimpaired by how much, preventing security problems or rapidly ameliorating them, and how much this affects the corporate bottom line. Better yet, present them at the next Metricon.

The comments to this entry are closed.

My Photo

Risk Reading

Blog powered by Typepad