The Security Skeptic

The People Side of Prevention

09/13/2013 07:58:13 AM (Originally 07/20/2004)

Originally published 20 July 2004. Finding articles nearly twenty years old, I continue to be surprised that certain issues have changed little. 

In a September 2002 article, The People Side of Prevention, Joanne Cummings asked me about measuring prevention success, and I reflected that success is a metric that is both elusive and illusory in nature.

At the time, I thought,

“The only way to measure prevention success is by a dearth of incidents”

and added that

the non-presence of incidents becomes “something that, over time, can make security investments seem like overkill”.

I offered the scenario of a security information officer who works at a large corporation that spends $25 million per year on security. He has used that budget well, implementing security technologies and practices that have buttoned up the enterprise according to best practices. But without incidents to report — look, here’s why we need security — he can’t justify his budget to the satisfaction of business executives. 

As we focus more on risk assessment and mitigation, we may find it easier to quantify prevention success. But you’ll still find that organizations want the virtual corollary of rows of attackers impaled on pikes along the entranceway of corporate offices. “How many attacks did we prevent today?” and “Did we catch any attackers today?” aren’t now nor will they ever be very helpful metrics. 

The people side of prevention begins with trust. Is it too much to expect that C*Os trust the security professional(s) they hire to spend wisely and do the best job possible? I did hire the most competent and trustworthy professionals, right? If I were a C*O, I’d love to have my CSO report, “absolutely no one even bothered to rattle our dooknobs this month because attackers have conceded we do security so well here”. I wouldn’t expect this result, nor would I use it to justify a reduction in spending. I would treat such a result as an affirmation that I hired the right people, and that my security investments were and remain justified.