by Stuart McClure
My university professors always sputtered the age-old maxim in class: “You can’t manage what you cannot measure.” And while my perky, barely-out-of-teenage-years ears absorbed the claim aurally, my brain never really could process what it meant. Sure, my numerous computer science classes kept me chasing an infinite pursuit of improving mathematical algorithms in software programs, but little did I know how to really apply these quantitative efforts to the management of anything, much less cyber.
So I bounded forward in my career in IT and software programming, looking for an application of my unique talents. I never found cyber measurement all that compelling until I found cybersecurity. What motivated me to look at a foundational way to measure what I did in cybersecurity was the timeless question that I and many of you get almost daily: “Are we secure from attack?”
The easy answer to such a trite yet completely understandable question is, “No. Security is never 100%.” But some of you have answered the same way I have done from time to time, being exhausted by the inane query, with “Yes. Yes we are.” Why? Because we know a ridiculous question should be given an equally ridiculous answer. For how can we know? Well, you can’t—without metrics.
As my cybersecurity career developed with InfoWorld and Ernst & Young, while founding the company Foundstone, taking senior executive roles in its acquiring company, McAfee, and now starting Cylance, I have developed a unique appreciation for the original professorial claim that you really cannot manage what you cannot measure. While an objective metric may be mythical, a subjective and localized measurement of your current risk posture and where you stand relative to your past and your peers is very possible.
Measuring the cyber risk present at an organization is nontrivial, and when you set the requirement of delivering on quantitative measurements rather than subjective and qualitative measurements, it becomes almost beyond daunting.
The real questions for all of us security practitioners are ultimately “Where do we start? How do we go about measuring cybersecurity’s effectiveness and return?” The only way to begin to answer those questions is through quantitative metrics. And until now, the art of cybersecurity measurement has been elusive. I remember the first time someone asked me my opinion on a security-risk metrics program, I answered something to the effect of, “It’s impossible to measure something you cannot quantify.”
What the authors of this book have done is begin to define a framework and a set of algorithms and metrics to do exactly what the industry has long thought impossible, or at least futile: measure security risk. We may not be perfect in our measurement, but we can define a set of standard metrics that are defensible and quantifiable, and then use those same metrics day in and day out to ensure that things are improving. And that is the ultimate value of defining and executing on a set of security metrics. You don’t need to be perfect; all you need to do is start somewhere and measure yourself relative to the day before.
– Stuart McClure
Stuart McClure is the CEO of Cylance, former global CTO of McAfee, and founding author of the Hacking Exposed series.