My 4 year old son loves math. In particular, he loves to count.
And as he’s gotten more comfortable with numbers, he’s taken to asking things like “Tell me how many,” and saying “Count with me,” when I tell him that it’s going to be 4 more days or 2 more hours or 30 more minutes before he can do or have something he wants.
When I tell him it’s going to be 4 more days until something happens, this is the next thing he does:
“Ok, Papa. So let’s count them.”
“Ok. I’m ready for my surprise now.”
Which of course begets some understandable angst when I try and explain to him that simply counting to a set number isn’t exactly the same when time is involved. The numbers just don’t always mean the same thing.
Now, you might be smiling and think it’s cute, or you might just be wondering where I’m going with this. But, I’m sure some of you may have guessed already:
Metrics and measurement for security.
Yeah, those pesky metrics.
And, like opinions and arseholes, everyone has them. It’s just that most of them really aren’t very good.
Whether it’s attributed to Drucker or Deming, the “If you can’t measure it, you can’t manage it” mantra has stuck in the management psyche and generated countless volumes of measurements.
But, we need to ask ourselves, “but to what end?”
Why in the hell are we choosing THOSE measurements?
And what EXACTLY are we trying to manage with them?
Not to mention that the real statement by Deming goes: “It is wrong to suppose that if you can’t measure it, you can’t manage it—a costly myth.”
Far too many organizational metrics suffer a potentially more sophisticated version of the issue my son is having trying to measure time.
They’re about counting, not context.
Just because I can count something – especially in the security realm – doesn’t mean that it’s actually relevant or useful to anything at all to the business.
And yet, we dutifully continue, in 2019 even, to report up these counts as if effort guarantees success.
All it really does is just prove that we’re busy doing something and those expensive pieces of equipment we bough really can detect how many times whatever magic internal algorithm was executed.
Ah… how reminiscent of basic computing—like Colossus basic.
For a measurement to be useful, we have to know the context that makes it relevant.
Number of malicious emails blocked? Who cares?
What’s the percentage of emails containing a link leading to an attempted malware site that were actually clicked by my users? And once I know that, how does that relate to the effectiveness of my security awareness training?
How does it tell me where I need to improve my training and awareness program?
What are additional steps I might be able to take in my environment that would offset that gap without unnecessarily doing silly things like routing all external emails to the Trash (and yes, I’ve seen that as official security policy control decision, folks…).
If I can answer the later ones, then I can start mapping things back to the business requirements, processes and objectives that are potentially impacted if an individual clicks a bad link. Or, God forbid, that some kind of malware was actually downloaded and installed on their endpoint that disrupts their ability to do their job.
If my “metrics” don’t inform decisions, then they’re wasted effort.
And if I try and demonstrate my ability to count things to the Board, I can guarantee that they won’t be as patient or as proud as I am of my 4 year old son.
Metrics and measurement aren’t easy. The principles, of course. But putting them into practice that gives meaningful performance monitoring of an overall security program or helps prioritize risk management decisions is a whole lot trickier.
That’s the bad news.
The good news, and a real metric you can think about, is that there are exactly 2 more days where you can take advantage of the current Security Leadership Coaching and Mentoring program offer—including 2 bonus sessions where you and your ENTIRE team get customized training and Q&A sessions with me (with a for-real value of $2,797, not just some made-up, 6 figure random number).
After those 2 days, here’s what’s going to happen:
- The offer goes away, and you’ll have missed the opportunity to get in at this discount pricing, start whipping your security program into shape and be that much closer to some real relaxation and confidence things aren’t about to fall apart in the next 20 minutes
- The bonuses evaporate, and even if you join the program at the full price later, or under some future incentive plan, you won’t get the same deal
- You’ve had over 30 days to try and convince yourself, your boss and whomever else is required that being part of the program is valuable, and you’ll have to justify to them later why you’re trying to get less value for more money once you either a) finally manage to convince them or b) it sinks in that you’re not flush with the time or the resources it’d take to close this gap on your own
So, if you’re ready to work on defining some real, business-driven security metrics that demonstrate the value your program gives to the organization, helps you get the money you need and justifies your current strategy, go here TODAY: https://archistry.com/go/SecurityLeader and let’s have a quick call to see what you can get out of the program.
And if you’re not fully in charge of your budget allocation for something like this, then it’s probably far too late to start the conversation now.
For those who have already signed up and taken advantage, I’d like to publicly say thank you, and I’m looking forward to working with you.
You’re ahead of your peers, and you’ve made the right choice.
Let’s start changing the way you measure and manage security.
Are you ready?
If not today, when will you be?
Andrew S. Townley
Archistry Chief Executive
P.S. Remember, you have nothing to lose. If you ultimately decide I can’t help you, I still can promise you’ll learn something, AND you get double your investment back.
P.P.S. And if you’re the thirsty horse that just won’t drink from this watering hole, then there’s not a lot I can do about that either. That’s fine. If you’re not ready, you’re not ready.