Virtual FOSE: Metrics, comparisons recommended for winning IT security support

Advice for IT security professionals without budget authority on how to make their case

Information technology security professionals who don’t control budgets should use reliable and authoritative metrics to monitor and compare performance to win support for new investments, a cybersecurity expert said today.

Alan Paller, director of research at the SANS Institute, said it’s important for security professionals to make their cases for funding in ways that use numbers or categories to make comparisons that motivate people. Paller also said regular schedules for monitoring are also important for winning support.

“Comparison gives you a motivation that’s enormously powerful,” he said during an online presentation of the Virtual FOSE Conference. The conference is sponsored by 1105 Media, the parent company of Federal Computer Week.

Meanwhile, Paller also said metrics should be reliable, important and authoritative.

“You cannot do monitoring if it’s unreliable because then everybody gets into a fight about people’s measurements instead of getting into a goal of getting things fixed,” Paller said.

Paller said the problem with the Federal Information Security Management Act is that guidance for meeting its requirements doesn’t have metrics that lead different evaluators following the same processes to reach the same conclusions.

He said because the nature of IT security makes it impossible to fix everything, success is doing at least as well as or better than other people. Paller said traditional approaches to get people to do something, such as saying the boss wants it done or that something is required by law or auditors, are flawed because they don’t give people an incentive to cooperate.

Meanwhile, Paller's online presentation said his recommended approach lets people exercise power without formal authority and that helps people make important strategic change that many others may resist and gets resources without resorting to political games. Paller also said the approach helps avoid adversarial relationships and promotes cooperation.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.