Thoughts on Metricon
I was talking to a CISO friend recently about Metricon, and encouraging him or his team to submit a paper. He told me about a concern, which was that it sounded like we’re looking for “how do we give indications so we can pat ourselves on the back,” or “how can we terrify execs?” He’d like to see us looking for papers on “How do we choose the right amount of security for the business?”
As a member of the program committee, I should remain neutral on this and encourage submissions on the basis of benchmarking, empiricism, and all the other things we look for in the call for papers (PDF.)
I did want to offer clarity, however, that we did not mean to exclude the question of “how do we choose the right amount of security for the business?” and would be happy to have great work on that topic, or any other aspect of measuring security.