My colleague Ben Rothke (@benrothke) recently wrote a good piece on basing information security decisions on good data. I like his approach – it’ll make you think. It’s true we do need good data so we can make better decisions. Sadly, we often don’t have the data or, if we do, we’re not qualified to interpret it.
Maybe it’s just me but I don’t believe my degrees in computer engineering and management of technology qualify for “enterprise statistician”. That still doesn’t make information security oversights okay. The dilemma reminds of something that Gilbert Arland once said: “Failure to hit the bullseye is never the fault of the target.” We do need good data. It’s just not that simple in the world of information security.
The problem is similar to the underlying principle of goal setting and leadership: how are you going to know where to go if you don’t know where you’re going, much less how to get there?
The reality is, we’re never – at least for the foreseeable future – going to have all the right data to make good information security decisions. We have to do the best with what we’ve got. But that shouldn’t keep us from focusing on what’s obviously important. Case in point I can say based on experience that the majority of organizations I’ve seen (both small and large) haven’t even addressed the basics of information security. Why burden ourselves with complex risk calculations when the bleeding and the cure are right before our eyes?
Don’t get me wrong. Quantifiable risk calculations have their place in our industry. But unless and until we get the basic stuff under control, what’s the point of making things even more complicated? I’m just saying.
Staying tuned for Part 2 of Ben’s article…
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”