Security Metrics: Replacing Fear, Uncertainty, and Doubt
Author: Andrew Jaquith
Publisher: Addison-Wesley Professional
In the modern enterprise environment, investing in security and implementing is properly is a complex process that has to be based on certain metrics. Furthermore, how can one expect to efficiently protect and improve something that hasn’t been measured?
To help you with these problems comes a titles that promises to show you how to quantify, classify and measure information. Let’s see what it has to offer.
About the author
Andrew Jaquith is the program manager for Yankee Group’s Security Solutions and Services Decision Service. He advises enterprise clients on how to best prioritize and manage security resources in their environments. He also helps security vendors develop product, service and go-to-market strategies for reaching enterprise customers. He co-founded @stake, a security consulting pioneer which Symantec Corporation acquired in 2004.
Inside the book
The first thing you notice when reading the text is the laid back writing style of a skilled author that managed to translate the language of a subject many consider to be boring into rather easy flowing text. The book comes packed with a plethora of figures and screenshots that help explain the topics better.
Following the long standing debate on what makes for a good metric, Jaquith outlines the positives and the negatives. I especially enjoyed his dissections of ISO 17799 and the Annualized Loss Expectancy (ALE) in this context.
When discussing technical security metrics, the author covers a lot of ground and reminds you to keep the history of your measurements so that you can track your progress or the eventual failure. If you don’t know what your situation is at any given point, you can’t really improve it.
Jaquith does a very good job explaining one of the widespread problems among security professionals – lack of proper visualization. In order to communicate properly with the management you need to be able to visualize security issues clearly and make sure your point gets across. The author offers pointers on creating tables, charts, treemaps and more.
In the final chapter of the book you get a lot of tips on how to design security scorecards that are easy to understand. In order to align the metrics with the management, the author recommends using a “Balanced Security Scorecard”. This is an interesting concept that is bound to raise some eyebrows but it does put forth many valid points.
“Security Metrics” is more than a collection of ways to measure security. It’s packed with Jaquith’s experience and builds upon real-life to illustrate concepts. The book ends up being a valuable resource as it shows you what to do, when to do it and why.
The author has succeeded in providing clever insight into a complex topic, and if you’re interested in security metrics this is the book to read.