Security Metrics Make Sense Only in the Context of Risk
- The question of ‘how secure are we’ can only be answered in the context of identified risk.
- When we talk about security, we aren’t talking about objective, probabilistic events.
“As important as compliance is, being compliant does not equate to being secure.”
Security is not a binary proposition of being either ‘secure’ or ‘not secure’. Chris Mark likes to use his house as an example. “Is my house secure?” he asks. “I have locks on my doors and windows. I believe it is appropriately secure given the identified risks against which it is being secured. But if I were to bring the Hope Diamond into my living room, that level of security would no longer be considered appropriate given the new risk profile.” The question of how secure we really are can be answered only in the context of identified risk. “When talking about security metrics, the first step involves conducting a risk analysis,” says Mark. “You need to be able to say that given the threats facing your organization; the value of your data; and the operational, regulatory, financial, and safety impacts of a breach, here is the appropriate level of security given the identified risks to which you are exposed.