Security can sometimes seem like a merry-go-round: going round and round in a circle, chasing one’s own tail. The only way out of this is to get some measure on how you are doing compared to before, but metrics for security are notoriously hard.
I was talking to a senior manager responsible for security at another UK University recently and asked them how many times they’d been hacked in the last few years. The reply was very confident: “We’ve not been”.
Seems a good stat for the annual report doesn’t it? The trouble is, it’s bound to be wrong. Any large organisation that claims they’ve not had a break-in in the last year is not looking hard enough. If I was vain, I’d call it “Clune’s law”:
If you think you’ve not been hacked, you’re not looking hard enough
The metric #break-ins/year isn’t bad, but for most organisations (let’s exempt GCHQ here) the target should be not zero (easily achieved by just not looking) but an increase of X% over the number of breakins detected last year. The trouble with that is that it’s a hard sell. Explaining to senior management/the local press that things are better because you’ve (seemingly) been broken into more is never going to be easy.
Maybe that gives us another metric that we should aim to have monotonically increasing: the percentage of staff that understand this.
