Seth Godin asks an excellent question:
Is something important because you measure it, or is it measured because it’s important?
I find that we tend to measure what we can, rather than working toward being able to measure what we should, in large part because some variation of this question is not asked.
I’m going to pick on malware fighting as a case-in-point. Is there lots of nasty malware out there than can really destroy your infrastructure? Absolutely, and as a result, IT and IT Security teams put tremendous effort into detecting and cleaning malware infections.
But how much of that malware actually impacts business, either by affecting the availability of the IT environment or producing a material incident? If your business is like most, then the answer is hardly ever*.
So why does the security industry spend so much money and time (another form of money ) on malware? Because we can. Never mind that the stuff you should be truly worried about if you’re talking about protecting The Business (as opposed to The Infrastructure) is the APT/Custom Malware/Targeted Threat stuff, which is invisible on the anti-virus console?
Because they can.
* While that could be changing thanks to innovations like StuxNet, who honestly thinks that messing their business up is worth burning three 0days? Really? Get over yourself.
In the meantime, you can test this argument in your own environment. Compare the number of pieces of malware you’ve detected and cleaned (versus prevented) versus the number that significantly impacted more than the infected person’s machine.
We’ve had one in the past year that might meet the disruption test, versus multiple malware cleanup tickets per week (not daily, but it tends to be spiky, so the average is greater than one per day. Still…). It took out a single user who had managed to break his Anti-Virus because either he didn’t like when the full scan ran or it kept stopping him from installing the trojaned, pirated software he’d downloaded–I never quite got a clear answer on this. The infection jammed the mail queue with outbound spam, causing a degradation (but not disruption) of outbound email for a few hours.