A day or so ago, I was reflecting on one of Gunnar Peterson's posts regarding Information Security spending and the lack of transparency and measurement therein. His post referred to a set of five questions that Dan Geer suggested (rightly) ought to be answered by anyone managing security efforts or defending a security budget:
Awhile back, Dan Geer posed the following questions
How secure am I? Am I better than this time last year? Am I spending the right amount of $$? How do I compare to my peers? What risk transfer options do I have?
Dan asserted, and I agree, that these are perfectly reasonable for senior management to ask, virtually any part of a business can provide some enlightenment on them, and the exception is infosec which has virtually no way to answer any of these today.
A few moments ago, Richard Bejtlich over at the TaoSecurity blog posted a fantastic substitute/extension to question number one above "How secure am I?" by asking "Are you Secure?" Richard goes one step further and suggests that you prove it.
Richard sets up the scenario by establishing the ground rules:
Are you secure? Prove it. These five words form the core of my recent thinking on the digital security scene. Let me expand "secure" to mean the definition I provided in my first book: Security is the process of maintaining an acceptable level of perceived risk. I defined risk as the probability of suffering harm or loss. You could expand my five word question into are you operating a process that maintains an acceptable level of perceived risk?
For the purpose of this exercise let's assume it is possible to answer "yes" to this question. In other words, we just don't answer "no." We could all make arguments as to why it's impossible to be secure, but does that really mean there is no acceptable level of perceived risk in which you could operate? I doubt it.
He does a fantastic job of suggesting how you might want to approach answering that question.
Read it, it's fantastic.