Yesterday I was asked a question in passing. The question was this --Are we more secure today? My reflexive answer was “yes, we get more secure every day.” After all, how else could I justify my employment? This question challenged me on many levels. The first thoughts were how can you qualitatively measure security? Do we feel more secure today? Why do I feel more secure today? Is it based on what my security experts told me? And what are they basing their opinion on?
Next my thoughts turned to the lessons of 9/11 and the asymmetric nature of the cyber-security battle. In cyber security, just like homeland security…”we have to be right all the time and the bad guys just have to be right once.” Just last week, Shawn Henry the FBI's “top cyber cop” told the Wall Street Journal that more and more FBI agents, while working on other cases, are encountering data stolen from companies who had no idea that their systems had been compromised.
"We have found their data in the middle of other investigations,'' he said."They are shocked and, in many cases, they've been breached for many months, in some cases years, which means that an adversary had full visibility into everything occurring on that network, potentially.'' (See the WSJ article.)
What does being “more secure” mean? Security is about managing risks, not eliminating them. After all, every transaction has inherent risk because trust is involved. So a proper answer to the question “Are we more secure today” really involves a discussion about risk. Risk drives the train. Ok, so are we better at managing our risks today?
There are two types of risks---the known and the unknown. The best thing about known risks is that they can be managed. An important first step is identifying all of the risks and then prioritizing them. In the field of security, risk is defined as the likelihood of a threat acting on a specific vulnerability. Once risks are known, management of the risks involves decisions to either accept the risk or reduce it to an acceptable level. Risks can also be transferred. This is often done with insurance policies or contractual service level agreements.
Security is less about deploying technology--it’s more about doing the right things, right. In that sense, security is closely related to quality assurance and financial management. There are security industry benchmark measurements that can be used to quantitatively measure security improvement efforts. World class companies have hard measurements that can be used to answer the daily question--are we more secure today? Implementing metrics requires organizational process maturity and some tactical investments in technology. In depth knowledge of one’s current security posture will allow the organization to chart a course for sustainable security improvement, and this really should be the goal of every company.