Measuring Security Program Value

I recently read an essay by Matthew Rosenquist titled: “Top Techniques for Measuring Security Value.”  The content was from a class he taught periodically.  In this section, he was attempting to teach “how to think critically while calculating information security value.”  He presents a list of “methods to show value.”  He makes it clear that they are presented as “archetypes” of measuring techniques along with his quick summary of strengths, weaknesses, and applicability for each.

I recommend the list to security professionals.  It leaves me uncomfortable, and wondering “what next.”  Each of the archetypes are proposed periodically by individuals I work with, by writers in trade publications, by industry experts, by consultants, by pre-sales engineers working for the great, global “security” firms.  Too often they are, to me, the noise attempting to fill the space that is senior management desire for a simple story.  None are easy.  All have serious implementation issues.  And when I read quickly through the eight metrics, they ring hollow.

It is not entirely clear to me, but it seems like they do for Matthew Rosenquist as well.  He sums up his essay with, “Let common sense prevail.  If the value must be understood to compare to other options, articulate security posture, or justify spending, then do an assessment.  Otherwise, ask yourself if it is really needed.”  He offers that it is OK “to not measure the value of a security program.”

I hope that Mr. Rosenquist has the opportunity to build out his argument and rationale.  The mass of effort devoted to outlining the archetypes, and the quick proposal that they can be ignored is supremely unsatisfying.  This is rich territory.  There are such vast economic forces behind the application of one or more of his archetypes, and historical momentum [at least in my experience] tends to exaggerate their mass — it is difficult to imagine that senior leaders will come around to the “Let common sense prevail” approach.

There is some risk, though, that one individual’s common sense is an absurdity to another.  Professionalism, experience, and a drive to become an expert in risk management matter.  The opinions of a novice, or an “outsider” may have their place in corporate information, infrastructure, and technology operations risk management, but they bring with them a risk rich challenge.  I’ll save a discussion on that topic for another day.

Read Mr. Rosenquist’s essay and let me know what you think.

— References —

Matthew Rosenquist:

“Top Techniques for Measuring Security Value.”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: