Saturday, December 20, 2008

Security Metrics as a Process

Recently, I was presented with an interesting challenge within my organization. Quite honestly, the challenge is not anything new or specific to this organization; it is a systematic problem within the Information Security function. The concept of Information Security metrics is, in my opinion, largely based on snake oil sales. Unfortunately, it perpetuates as a nebulous science, complicated further by inconsistency and contention on resources that fail to see the value of the art.

If you had to read that last sentence multiple times to catch the meaning, well then you are at the same wavelength that our decision makers are at when it comes to the metrics that we define as a horizontal function. The statement is based on opinion, contains fancy words, and yet somehow dos not address the challenge in quantitative terms.

This is the crux of my challenge, and one that I hope can translate into my dissertation in organizational management. Metrics can be defined by nearly everyone; effective metrics cannot. The practice of arriving at effective security metrics will take many resources: human, financial, temporal, and technological.

Like the Information Security function itself, the effective metrics process is a process, not a product. Borrowing from Andrew Jaquith's book Security Metrics: Replacing Fear, Uncertainty, and Doubt, I believe he is correct when he defines the criteria for an effective metric:


  • Consistently Measured

  • Cheap to Gather

  • Expressed as a Cardinal Number or Percentage

  • Expressed using at least One Unit of Measure

  • Contexually specific



Surprisingly to me at this point, is the noticable lack of material on the subject of Information Security Metrics. Outside of Andrew Jaquith's book and the works of ISO 27004, which is yet to be published, I have yet to find good material on the topic.

What I would be interested to see, is what practioners in the field use to measure their effectiveness in Information Security as a process.
Posted by at No comments:
Labels: , , , ,

Sunday, December 14, 2008

First Stripe

Thursday marked an important day in my brazilian jiu-jitsu training. Along with a handful of other students, I received my first promotion in the gentle art. As many of you have heard or read, I felt I had plateaued in my training, and was struggling for answers. In the ceremony, Luis "Sucuri" Togno explained how this was natural for students, and further went on to explain how proud he was of all of his students.

The interesting thing about Team Alliance from my vantage point is that, unlike many schools, Luis is very interested in the student's advancing through strict adherence to the details of each technique. He does not promote in order to run a profitable business and maintain student tuition. This is extremely important for the real world defense of the art and the skills of the practitioner. Too often we read about students at other schools being promoted to blue after 6 months or so. However, in many cases, these students do not understand the roots of the art, the accomplished fighters, or the reasons why details are so important.

I am proud to have received my bar and stripe this week, and sincerely look forward to the day I can look back on this and provide that new student, struggling in his or her own training and provide the motivation to continue on, regardless of how difficult it may seem.

Check out Alliance of Charlotte and reach out to Luis "Sucuri" Togno for more information about the academy.

Good night!
Posted by at No comments:
Labels: , , ,

New Alliance BJJ YouTube Channel

Well, my professor and friend Luis "Sucuri" Togno has done it again. With very little discretionary time on his hands, he has somehow managed to find time to help Brazilian Jiu-Jitsu practioners around the world by creating a YouTube channel which demonstrates world-class techniques. The Alliance of Charlotte channel can be found here.

For those in the Charlotte, NC area looking for a rewarding and challenging experience in martial arts, highly encourage you to consider Alliance. Alliance of Charlotte's website is located in the SouthPark area, over by Angry Ale's and The Press Box.

Even if you are unsure of whether the academy is right for you, Sucuri offers a 30-day free trial.
Posted by at No comments:

Sunday, December 7, 2008

Tuscan Whole Milk

Quite possibly the best milk ever created. If you don't believe me, check out the Amazon.com reviews...

http://www.amazon.com/Tuscan-Whole-Milk-Gallon-128/dp/B00032G1S0
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)