Why Information Security Metrics Are Important

"He uses statistics as a drunken man uses lampposts - for support rather than for illumination" ~ Andrew Lang

Metrics and statistics, whilst subtly different, are often seen as the accountants yardstick and the pragmatists whipping stick.  The use of metrics in IT has had a long and perhaps uneasy route.  Technicians want to implement, design and fix.  Managers and budget owners need to show value, deliver service and ultimately keep the customer, production line or CFO happy.  An efficient and sustainable business position is a meeting place between the two, where tangible (and intangible) metrics (not statistics) are important to both parties.

Why Use Metrics?


IT security has often been seen as a cost within the overall component of IT, which until very recently was also seen as a cost to the business.  IT was a necessary component granted, but organisations have historically not seen IT as a strategic part of the overall business delivery cycle.  It was never capable of driving efficiencies, saving money or being proactive in gaining and keeping customers.  That view has changed considerably and information security is now becoming the necessary component within IT.

Iran's Own Internet

The 'summer' break has been and gone and as the winter rains become a thing of unrelenting omnipresence, the main story that caught my eye was that of Iran building it's own internal intranet.

The politics and propaganda behind such a move are far beyond the scope of an information security blog, but idea has some interesting concepts.

Firstly there a few basic drivers behind such a move.  Control and censorship is one.  Regardless of political motives, building a brand new network, allows the creator to have a lot more control over the number and types of the devices that are connected and the information and data those devices share.  In a lot of regions where the internet is freely available, control and censorship is a big agenda item.