I’ve been thinking recently about how most of our clients don’t collect security metrics. Then I got thinking about how there are anti-design patterns that typify firms with a higher level of vulnerability to a major data loss event.
Running security is not different from running a business – you have assets and threats, vulnerabilities and resources to protect the assets. There are widely accepted and practiced revenue models, costing models and performance metrics for businesses of all shapes and sizes, yet information security has not reached this stage of maturity. Taking two security standards as an example (ISO27001/27002 and PCI DSS 1.2) – it is clear that a well-structured list of security controls is not a substitute for measuring security control effectiveness.
So – how can we use anti-design patterns for diagnosing a firm with potential security issues?
Let’s start by looking how a typical business uses metrics.