Michael D. Moberly June 5, 2012
As Charles Kettering, the American inventor, engineer, businessman, holder of 186 patents, a founder of Delco, and head of GM’s research from 1920 to 1947, once put it, ‘a problem well stated is a problem half solved’. In my view, Kettering’s remark surely finds relevance in IT security! inThe Companies globally, are experiencing an aggressive rise in cyber-attacks and cyber-initiated economic – industrial espionage. Interestingly, the U.S. governments’ recent acknowledgement that it played a key role in launching ‘Stuxnet’ in 2010, believed to be the first sustained effort by one country to destroy another’s (i.e. Iran’s) nuclear program infrastructure through computer attacks, no doubt added some not-so-welcomed fuel to that persistent fire.
No prudent company management team, c-suite, board, stakeholder, or IT system administrator would argue against the merits or necessity of IT security, defensively speaking. IT security has become, not just a fiduciary responsibility, but in a growing number of jurisdictions, a legal mandate. One outcome of which is that seldom do I meet a member of a management team, CTO, or CIO, etc., who does not assume their company has a firm handle on what IT security means, and, therefore, what elements and aspects of (IT) system operations must be monitored and measured.
As many recognize, an outgrowth of any new professional domain, in this case, IT security, even though its been practiced for 20+ years, those involved, i.e., designers, manufacturers, vendors, and practitioners drift toward developing a specialized jargon or lexicon, ‘IT security-ease’ undergoes routine renditions and updates examples of which relate to…
- measuring system effectiveness
- articulating a rationale for (additional) IT security expenditures
- accounting for the actual outcomes of IT security, i.e., what’s being monitored, captured, and how its measured.
As a security generalist and intangible asset (protection) strategist and practitioner for 25+ years, I recognize that the word ‘security’ conjures a myriad of assessments particularly in the post-911 era in which our collective (security) consciousness has elevated considerably, both conceptually and practically. But, in the sense of a person or company actually being more or less secure, the term ‘security’ prompts a range of interpretations, most of which are related to variables such as time, place/location, circumstance, transaction, and/or venue, etc.
On the surface, IT security may appear relatively easy to measure because presumably, codes and programs can be written, or products purchased to capture and monitor most, if not all activities that occur in or to an IT system. That said, a commonly held perspective with respect to IT security is that once ‘x’ security (system, device, product, or personnel) have been introduced and become operational, there will be a corresponding change in reducing risk and uncertainty to either the intangible or tangible assets which a company’s IT security system encompasses. It remains to be seen, at this point, whether or precisely how this relates to ‘cloud computing’.
We do know the key to measuring-assessing general security outcomes, lies in large part on one’s adeptness at articulating (bringing preciseness and clarity to) user, recipient, and/or, stakeholder expectations. In other words, what can we expect to observe following deployment of ‘x’, in this case, IT security products and/or services? As Hubbard suggests many times in his book (How To Measure Anything: Finding The Value of Intangibles in Business) if one is fuzzy about what she expects to observe as an outcome, e.g., from an expenditure of IT security resources, it’s likely any subsequent (quantitative, qualitative) measurements will be equally fuzzy.
Here’s where Kettering’s ‘a problem well stated is a problem half solved’ statement is so relevant in my view. For starters, it’s essential to define the terms ‘risk’ and ‘uncertainty’….
- uncertainty is merely the lack of having complete certainty about, for example, a business transaction, partnership, and/or strategic alliance.
- risk, on the other hand, is a state of uncertainty wherein multiple ‘uncertainties’ exist relative to, for example, an expenditure of resources, a particular transaction, new initiative, or even a new product launch.
Should any one of those uncertainties (risks) materialize, they will likely lead to some type or degree of loss or adverse (economic, competitive advantage) impact, largely on a company’s intangible assets.
Measuring uncertainty then, (in the case of IT security) constitutes measuring a set of probabilities that a CTO, CIO, and/or CFO perhaps has assigned to a set of possibilities. For example, following deployment of a particular or suite of IT security products and services, a CTO could state she ‘expects to observe a 60% reduction in the vulnerability, probability, and criticality that proprietary data and information held within the company’s IT system could be extracted and disseminated illicitly.
Measurement of risk, on the other hand, is a set of possibilities, each with quantifiable probabilities usually involving asset loss, value erosion, undermining competitive advtanges, etc., following deployment – operationalization of IT security services and products. In this instance, a CTO may announce that there remains a 15% probability that the company will experience theft of proprietary data and information by insiders.
So, a problem well understood, well defined, and well stated, is indeed, a problem half solved!
While visiting my blog, you are respectfully encouraged to browse other topics/subjects (left column, below photograph) . Should you find particular topics of interest or relevant to your circumstance, I would welcome your inquiry or comment at 314-440-3593 or firstname.lastname@example.org