Virtual FOSE: Metrics, comparisons recommended for winning IT security support

Advice for IT security professionals without budget authority on how to make their case

Information technology security professionals who don’t control budgets should use reliable and authoritative metrics to monitor and compare performance to win support for new investments, a cybersecurity expert said today.

Alan Paller, director of research at the SANS Institute, said it’s important for security professionals to make their cases for funding in ways that use numbers or categories to make comparisons that motivate people. Paller also said regular schedules for monitoring are also important for winning support.

“Comparison gives you a motivation that’s enormously powerful,” he said during an online presentation of the Virtual FOSE Conference. The conference is sponsored by 1105 Media, the parent company of Federal Computer Week.

Meanwhile, Paller also said metrics should be reliable, important and authoritative.

“You cannot do monitoring if it’s unreliable because then everybody gets into a fight about people’s measurements instead of getting into a goal of getting things fixed,” Paller said.

Paller said the problem with the Federal Information Security Management Act is that guidance for meeting its requirements doesn’t have metrics that lead different evaluators following the same processes to reach the same conclusions.

He said because the nature of IT security makes it impossible to fix everything, success is doing at least as well as or better than other people. Paller said traditional approaches to get people to do something, such as saying the boss wants it done or that something is required by law or auditors, are flawed because they don’t give people an incentive to cooperate.

Meanwhile, Paller's online presentation said his recommended approach lets people exercise power without formal authority and that helps people make important strategic change that many others may resist and gets resources without resorting to political games. Paller also said the approach helps avoid adversarial relationships and promotes cooperation.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.