Is Looking at What Didn’t Happen an Effective Approach?
In a posting on wired.com, Ben Paynter defines “the paradox of the close call” like this:
“ . . . near misses aren’t successes. They are indicators of near failure. And if the flaw is systemic, it requires only a small twist of fate for the next incident to result in disaster. Rather than celebrating then ignoring close calls, we should be learning from them and doing our very best to prevent their recurrence. But we often don’t.”
One tactic I have taken to promote information security is to trot out statistics from our IDS logs or firewall logs, point to the numbers and say, “Hey, look at all this stuff that is trying to break into our network! We’re stopping bad things from happening!” Applying Paynter’s definition, I am celebrating near misses—and the result is the purse-string holders say “Good job” and turn down funding requests because we are doing a “good job.” What I am really asking is something like, "We avoided a near miss. With proper funding we won't even have the near miss to avoid."
The puzzle is how to demonstrate the value the information security team adds. It is self-evident to information security people who say, “we add value because we stop bad things from happening.“ That isn’t evident to those who haven’t consumed the information security elixir. How do you put a value on what didn’t happen? Compare it to what recovery from a breach would cost? That isn't a very effective sales pitch (though home security companies use it all the time). I don't have an answer right now--I'll revisit it in another post.
Here is the link to Paynter’s essay:
No comments:
Post a Comment