Foreword

By now it’s become cliché to say “You can’t secure what you can’t measure,” or similar variations on Lord Kelvin’s original pronouncement about the relationship between measurement and outcomes. Unfortunately, very few organizations follow this mantra effectively. In my view, this is one of the biggest indictments of the security profession as a whole; despite an ever-expanding litany of control frameworks, best practices, and guidance, no one seems yet to have asked (to paraphrase risk metrics guru Douglas Hubbard), “How do we know if any of this stuff is really working?!”

Well, after nearly 15 years of security consulting for Fortune 1000 organizations, I’m here to tell you the dirty little non-secret of IT security: no one really does know if any of this stuff is working. Firewalls, vulnerability scanners, intrusion detection/prevention systems, data leak prevention, application security, patch management, encryption, PCI DSS compliance... the list of “stuff” that IT security invests in grows more and more, but talking about measuring return on this investment is still avoided like the plague. Now that serious money is starting to be spent on security (I know of organizations with upwards of $50M in annual IT security spend, for example), the time is ripe to start confronting the elephant in the room and have a mature conversation about practical, relevant, effective security metrics.

Enter the book you’re holding in your hands. Lance Hayden has compiled a thoughtful and fact-based tour of the who, what, when, where, how, and why of security metrics. He disperses myths while illuminating truths, pointing towards better ways for IT to conceptualize, implement, and articulate the value proposition of security activities and investments.

I particularly like Lance’s down-to-earth approach in this book: he’s clearly been around the block enough times to understand and appreciate the profession’s historical attempts at metrics (e.g., annual loss expectancy, ALE), but he’s also savvy enough to know that what we’ve done so far hasn’t provided useful decision support to key constituencies, nor has it articulated the value of security activities very well in an age where accountability and scrutiny have only increased for all organizational functions.

This is one of the great differentiators of this book versus others I’ve read on the topic: there’s a strong undercurrent of contrarian thinking that refreshes and enlightens, while at the same time not losing the baby with the bathwater. Too often the desire to innovate and challenge the status quo goes too far in technical fields, and we lose track of some of the fundamentals that keep us working within reasonable arcs. The fundamentals are not overlooked in this book, which is clearly grounded in foundational concepts of risk management, decision support, and basic economics. At the same time, there is a recognition that many of the practices followed by security professionals today are “... a bit lame” (to borrow a phrase from Chapter 1) and that “alchemy” is often employed by “slackers” who want to take shortcuts around data and “hedgers” who would color the results as audiences want to hear them. Somewhere between the stone age and the bleeding edge, we’ve all become lost and confused; this book is a concise guide back to the middle, that is, a more empirical way to think about information security and measure its progress.

And although “middle-of-the-road” and “security metrics” may sound like a recipe for boredom, this book is quite the opposite. It abounds with practical examples, anecdotes, metaphors, crisp descriptions of difficult concepts, comparisons with other industries, and a just plain entertaining writing style that won’t strain your attention span. No punches are pulled either—you won’t find baby-talking around tools like the Poisson distribution and Monte Carlo simulation that can be applied to real problems in infosec today, and real math is performed in the examples to illustrate how things work in practice.

The relevance, information density, and readability of this book is top-notch, and I don’t say that lightly, having been a technical author for over a dozen years myself. I cribbed numerous good ideas to try in my own work while reading through the chapters herein, which is my own personal metric for value and usefulness. IT Security Metrics hits its numbers through and through, and I strongly recommend it to anyone who is passionate and serious about protecting digital assets with better precision and effectiveness.

Joel Scambray
Co-Author, Hacking Exposed,
and CEO of Consciere
April 25, 2010