Thursday, March 14, 2013

Metrics Mark the End of Faith-based Cybersecurity

Thanks to Dark Reading for covering the RSA 2013 metrics panel and for the article: "Governance Without Metrics Is Just Dogma."

To whom do we owe this powerful and provocative headline? Not the editors at Dark Reading, though they were smart enough to grab it and put it at the top. It was Alex Hutton, an Operations Risk and Governance director at Zions National Bank.

In case you're not used to seeing the word dogma in this context, let's refresh ourselves with a definition (thanks Wikipedia):
Dogma is an official system of belief or doctrine held by a religion, or a particular group or organization. It serves as part of the primary basis of an ideology or belief system. 

While there are appropriate places and good uses for dogma, the C-Suite and Board of Directors conference table is not one of them. (At this point I can imagine some long-term readers saying, "tell us how you really feel").

With both risk and governance in his title, clearly Hutton's been thinking this through, when he finishes with this zinger for the Security Governance ages:
You know what you call governance guided by metrics? Risk management.
I'll be submitting some business-oriented security metrics to the NIST Critical Infrastructure Cybersecurity Framework folks in a few days, and will follow up in person with them in Gaithersberg, MD on April 3.

People love to argue about metrics; that's one of the reasons they rarely come into being in our world.  Let's see if can agree on a few that work this time ... it's partly what NIST and others are looking for us to do this time.

The whole article is, HERE.

Photo credit: Still from Dogma film (1999) from

No comments: