Or, how to lie with metrics.

Adam Shostack, Leading expert in threat modeling

March 17, 2016

4 Min Read
Source: Pixabay

A few years back, I called my stock broker and asked for help selecting a growth fund to diversify my holdings a bit. He said he had this great fund that was totally a fit for what I needed.  (Have you ever called a salesperson and not heard that they had what you needed? When you do, pay attention. Those are the ones doing real strategic sales.)

This fund had great performance relative to the Russell 2000, had a low beta (a measure of volatility), and blah blah. Frankly, I don’t remember the points he made when selling me. They were his points, not my points. Some of them were real metrics, that were relevant to what I wanted to know, and some were what the lean startup movement calls “vanity metrics.”

But they were his metrics, not mine. I had not done the hard work of figuring out what mattered to me, and ensuring that the things I wanted were being measured. So I was an easy mark.  There are two lessons here: one for people buying products and services, and one for those producing metrics for “the business.” 

Walking around at RSA, it seems that every product today has its own “single pain of glass.”  (No, not pane, trust me, they’re misspelling it.) These pains of glass take metrics that a product manager selected, just like my stock broker selected his metrics. And you’re going to have a lot of them, and they’ll be pains. They’ll be numbers that you can, with work, influence, but that work doesn’t mean your business is more secure. But now that you’re measuring them, you better start influencing them. You’re going to be held accountable for the numbers that you bought.

Let’s take an example of vulnerability counts. Vulnerability counts have, at best, a complex relationship to consequential events. As someone who helped get the CVE off the ground, I know that there are plenty of real issues (word macros, dll injection) which real attackers exploit and which don’t get fixed. Others, like Autorun, do get fixed, without a CVE, because they’re not bugs, but features. There are also plenty of real vulnerabilities, such as SQL injection in your custom database, that don’t get a CVE. (I hope that those are bugs, not features.)

The question you’d like to ask, the thing that you’d like to measure, is not vulnerabilities. You probably want to influence vulnerabilities because you think they correlate with the consequential events that your business cares about, and they might. But as we’ve just discussed, they are not a complete metric of what matters to the business, and we don’t have a good way to estimate their incompleteness. So, not measuring what you care about or being tightly correlated with what you care about means they’re a bad executive metric.

And here’s the lesson my stock broker can teach those producing metrics for the business. Don’t be like my stock broker. It’s a short-term business model. Business has a way of looking at issues. Profit and loss. Return on capital. Now, it’s cliché to complain about how hard it is to link security to those issues, and so we invent stuff to report on, like “maturity,” thinking it sounds strategic. It doesn’t. 

Look, executives become executives because they’re good at making decisions about complex questions with big impacts. Is it harder in security? Well, yes, we blindfold ourselves, we rail against talking about our mistakes, and then wonder why no one ever gets better. But that’s a problem we have to face within security, and in the meanwhile, we need to find metrics or frameworks that matter to our executives, that the business understands, and that we can speak. In that order.

So the lesson is: figure out the metrics that matter to you, and figure out the metrics that matter to the business. Some of it will be hard to gather, some of it will be impossible. But you don’t want to be like the drunk looking for their keys under the streetlight, even if the light is better there.

Next week, we’ll get down and dirty and talk about what those metrics are not. Here’s a hint: they’re not about things you can’t control. 

Oh -- and incidentally, that fund? Down 20% when I sold it.

Related content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

About the Author(s)

Adam Shostack

Leading expert in threat modeling

Adam Shostack is a leading expert on threat modeling. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an advisor and mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security. His personal home page can be found here

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights