Why The New School Is Important
I participated in another security metrics and risk discussion yesterday (yeah, me talk about metrics & risk – you don’t say). As part of this discussion someone echoed a sentiment I’ve been hearing more and more of recently. A casual acceptance of the logic of metrics and data followed quickly by a dismissive, skeptical statement about the need for quality information. Something along the lines of “I don’t think we need (or you’re ever going to be able to get) good metrics to make decisions, and I don’t see how even great metrics will help people manage their security better.” This argument then goes on to cite the Intelligent Attacker argument, maybe wave vaguely around corporate politics and even tying security to “the business.” You’ll forgive me for saying so, but this is a really lazy mindset. It’s one that doesn’t see a quick solution, and therefore gives up.
I BEG YOUR PARDON, I NEVER PROMISED YOU A ROSE GARDEN
Look, here’s the deal with security metrics. The near-ideal state for security metrics won’t make you more secure. Being New School won’t solve your problems. What a New School mindset will do for you is help you begin to understand what your problems actually are.