Virtual FOSE: Metrics, comparisons recommended for winning IT security support

Advice for IT security professionals without budget authority on how to make their case

Information technology security professionals who don’t control budgets should use reliable and authoritative metrics to monitor and compare performance to win support for new investments, a cybersecurity expert said today.

Alan Paller, director of research at the SANS Institute, said it’s important for security professionals to make their cases for funding in ways that use numbers or categories to make comparisons that motivate people. Paller also said regular schedules for monitoring are also important for winning support.

“Comparison gives you a motivation that’s enormously powerful,” he said during an online presentation of the Virtual FOSE Conference. The conference is sponsored by 1105 Media, the parent company of Federal Computer Week.

Meanwhile, Paller also said metrics should be reliable, important and authoritative.

“You cannot do monitoring if it’s unreliable because then everybody gets into a fight about people’s measurements instead of getting into a goal of getting things fixed,” Paller said.

Paller said the problem with the Federal Information Security Management Act is that guidance for meeting its requirements doesn’t have metrics that lead different evaluators following the same processes to reach the same conclusions.

He said because the nature of IT security makes it impossible to fix everything, success is doing at least as well as or better than other people. Paller said traditional approaches to get people to do something, such as saying the boss wants it done or that something is required by law or auditors, are flawed because they don’t give people an incentive to cooperate.

Meanwhile, Paller's online presentation said his recommended approach lets people exercise power without formal authority and that helps people make important strategic change that many others may resist and gets resources without resorting to political games. Paller also said the approach helps avoid adversarial relationships and promotes cooperation.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.