Virtual FOSE: Metrics, comparisons recommended for winning IT security support

Advice for IT security professionals without budget authority on how to make their case

Information technology security professionals who don’t control budgets should use reliable and authoritative metrics to monitor and compare performance to win support for new investments, a cybersecurity expert said today.

Alan Paller, director of research at the SANS Institute, said it’s important for security professionals to make their cases for funding in ways that use numbers or categories to make comparisons that motivate people. Paller also said regular schedules for monitoring are also important for winning support.

“Comparison gives you a motivation that’s enormously powerful,” he said during an online presentation of the Virtual FOSE Conference. The conference is sponsored by 1105 Media, the parent company of Federal Computer Week.

Meanwhile, Paller also said metrics should be reliable, important and authoritative.

“You cannot do monitoring if it’s unreliable because then everybody gets into a fight about people’s measurements instead of getting into a goal of getting things fixed,” Paller said.

Paller said the problem with the Federal Information Security Management Act is that guidance for meeting its requirements doesn’t have metrics that lead different evaluators following the same processes to reach the same conclusions.

He said because the nature of IT security makes it impossible to fix everything, success is doing at least as well as or better than other people. Paller said traditional approaches to get people to do something, such as saying the boss wants it done or that something is required by law or auditors, are flawed because they don’t give people an incentive to cooperate.

Meanwhile, Paller's online presentation said his recommended approach lets people exercise power without formal authority and that helps people make important strategic change that many others may resist and gets resources without resorting to political games. Paller also said the approach helps avoid adversarial relationships and promotes cooperation.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • FCW Perspectives
    zero trust network

    Can government get to zero trust?

    Today's hybrid infrastructures and highly mobile workforces need the protection zero trust security can provide. Too bad there are obstacles at almost every turn.

  • Cybersecurity
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    NDAA process is now loaded with Solarium cyber amendments

    Much of the Cyberspace Solarium Commission's agenda is being pushed into this year's defense authorization process, including its crown jewel idea of a national cyber director.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.