Risk management

IT Security Metrics: The Enterprise FUD Killer

One of the greatest knocks on the information security profession is that IT security is always asking for budget to spend against the latest threat, only to abandon the cause like harried firefighters, jumping from one conflagration to the next.

One of the most common complaints I hear from information security
executives in large organizations is that they are constantly playing
defense, not offense. Their network security apparatus is designed to
wait for an attack, see if it’s successful and, if it is, to plug the
hole, then repeat.

By David Mortman
I spent some time earlier this week at mini-metricon, a workshop that was inspired by the success of Andrew Jaquith’s security metrics mailing list and the larger Metricon which is held each year in conjunction with the USENIX Security Conference. In essence members of the mailing list gather each year on the Monday before RSA and share what they are doing with regards to security merics within their organizations.

By Joan Goodchild, CSO
“The dean of the security deep thinkers,” “security luminary, ” and “risk-management pioneer” are all phrases that have been used to describe Dan Geer. Considered one of the foremost leaders in information security, his resume includes time as president and chief scientist at Verdasys Inc, a critical role in Project Athena at MIT, and a now famous firing from @Stake for co-writing a paper warning that a Microsoft monoculture threatened national security.
These days Geer, a 2009 CSO Compass Award winner, is CISO with In-Q-Tel, a non-profit venture capital firm that invests in security technology in support of the intelligence community. Geer recently spoke with CSO [csoonline.com] and explained why, despite all he has accomplished in his past, his sights are still set toward the future of security. Read the full Q&A interview.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.