InfoWorld - Security Adviser: When it comes to security, it's the data, stupid

You can't prioritize risk effectively without accurate data about successful exploits in your environment. Start compiling that data now

By Roger A. Grimes
Feb 16, 2016

In an election year, particularly one in which we're all bracing for a downturn, the 1992 Clinton campaign's famous catchphrase "It's the economy, stupid!" can’t help but come to mind. Apply that same commonsense thinking to computer security and you get: "It's the data, stupid!"

We suffer from a dearth of data and quality analytics on how we're exploited and compromised. We know most of the likely root causes: unpatched software, social engineering, eavesdropping, password cracking/guessing, data leaks, misconfiguration issues, denial of service, insider threats, zero days, and so on. But we lack good metrics on how often they occur inside our environment.

We understand that we're getting exploited by malware -- we may even have the number of detected and removed malware programs in a given period -- but we probably have little data on how many times social engineering let a bad guy in. We may know every unpatched program in our environment, but probably not which one is letting in the most damage. We simply don't know how each threat ranks against each other.

The upshot is that we respond to crisis events and gut feelings. It's about time we started to mature our defenses by asking for data, good metrics, better reports, and ultimately accountability. If you really think about it, our lack of data should be embarrassing to us. How can any organization perform risk assessment when the threats and risks haven't been quantified?

Click the URL above to read the full article