You Keep Using That Word

Feb 7, 2012
Ed Bellis
Chief Technology Officer, Co-founder

Share with Your Network

Secure. I don’t think it means what you think it means.

Back in my days as a CISO or even previous to that in various practitioner roles, there were two frequently asked questions by executives and management.

  1. Are we secure?
  2. How do we compare to $x?

Let’s start with the first question. Security is not binary. That is, it’s not a state of on or off. Security in it’s entirety should be viewed more like 256 shades of grey. It’s not a question of whether or not you are secure but rather how secure or insecure you may be. There are a lot of controls and decisions that go into that state, each of them pushing your state to more secure or less. Each of those controls and decisions have a lot of trade-offs.

What I’m really getting at, is that it’s a bogus question. But you can’t really respond that way so you take it with a grain of context and politely answer.

Now on to the second question, one that I find more interesting and more meaningful. A common concern amongst management is how they line up with the competition. If your security falls behind that of your competition they worry they will be burned by this and look bad. On the other hand, if they are way ahead of the competition, why? Sure it gives some level of comfort but are they spending too much on security? Could those dollars be better spent elsewhere? Ahh trade-offs again.

There may be many reasons why you need or should be ahead of your competition in securing applications and infrastructure. Perhaps you’re working in an infosec lagging vertical where “keeping up with the competition” means you’re a target of opportunity on the Internet. Being a target of opportunity can come down to how you stand up against a particular vulnerability versus those of your neighbors on the Internet or Google’s search index. Regardless of reason, you’re going to need data to back you up.

Measuring what’s important to your organization, industry and management is the best way to answer these questions. Include not only metrics around these but also benchmarks to compare how you are doing versus your vertical, the broader industry and internally. Pick and choose your metrics carefully and make sure they pass the “so what” test. You can benchmark in an automated manner in some cases as well as loosely through industry organizations such as the ISACs and other areas where your industry gathers.

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.