So I commented yesterday about a post Richard made about outcome-based security metrics.
In short, Richard likes outcome-based security metrics because they "mean something." I like them, too, but they can be hard to define and even harder to gather good data for. So I guess I don't like them that much.
He replied in the form of a new blog post. And I just had to comment.
This time, Richard takes issue with my point that it's possible to have bad security and outcome-based metrics that don't realistically represent the poor state of your security. He's probably right that if breaches are really bad or even moderately bad very frequently, that you can't help but detect them. Eventually. But in my opinion, metrics don't help you here. And that was my point.
And then he rags on compliance metrics. And this is where I draw the line. OK, not really. Compliance metrics suck, but we do them because they have value. Actual business value. Contrived, soulless, perhaps even pointless value. But I can tie dollars to them, so they have value. But Richard doesn't believe in ROI for security, either, so... :-)
Anyway, I respect Richard and enjoy his books and his blog. This dialog is healthy for infosectarians to have. If by some freak accident you read my blog but not his, definitely check it out.