Access your Pro+ Content below.
New measures for security metrics: Ranum Q&A with Jay Jacobs
This article is part of the November 2013 Vol. 15 / No. 9 issue of Information Security magazine
Information security metrics abound, but few reports garner the attention awarded Verizon's Data Breach Investigations Report. The 2103 DBIR, which highlighted China's alleged cyberespionage among other significant breaches, was based on data pooled from 19 organizations worldwide. Marcus Ranum had a bone to pick with one of the "top external actors" charts, fueled by a healthy skepticism he attributes to his college days in statistics class. "[T]hose lectures had the effect of making me hyper-skeptical about any large, round number that's thrown my way," he bloggedin May shortly after the report was released. Where do you see VERIS going in the future? Is this the kind of thing that could eventually become a requirement for regulated industry segments? Marcus J. Ranum, chief security officer, Tenable Security Inc. This month, Ranum digs into some of the industry issues surrounding the report with co-author Jay Jacobs, a senior data analyst on the Verizon RISK team. Exploring and visualizing data is also the topic of an upcoming...
Features in this issue
Companies have embraced virtualization and cloud computing, but security is still bolted-on. Here's what needs to change.
In the November 2013 Beyond the Page on virtual security, Chris Hoff examines the challenges infosec pros face in finding the right security strategy for their enterprise network.
Enterprises cannot always keep attackers out of their networks. Instead, defense-in-depth strategies aim to raise the cost to black hats -- in terms of time and money.
Software security ranks high among security executives' concerns but low in terms of time spent, according to an (ISC)2 CXO study.
Columns in this issue
If software security keeps you up at night -- and it should -- you are in good company.
Wading into the murky waters of security metrics? Jay Jacobs offers his take on data collection and incident reporting with the VERIS framework.
What's a dollar spent on security worth in terms of risk? Break-even analysis helps you decide.