Ranking needles

Pouring more money into infosec won’t make us more secure unless we know what’s working and what isn’t. Maybe we need a way to compare those things.

Tim White wrote for NYTimes 22 January 2014, Finding a Needle in a Digital Haystack,

LAST year the private sector spent $67.2 billion on cybersecurity services. Nevertheless, according to a recent investigation by Verizon, 60 percent of successful hacks were not detected until months after the attacks began. In the wake of recent high-profile hacker attacks against Target, Neiman Marcus and other retailers, the obvious question is: Why hasn’t all that money done any good?

It’s not for lack of trying. Much of the money is well spent, paying for armies of technical engineers and state-of-the-art security applications.

The problem is not the resources, or the personnel, or the data. It’s that many organizations simply don’t know how to arrange the data to identify suspicious patterns and weaknesses, at least not fast enough. There’s too much data, and not enough perspective.

What we need, then, is not necessarily more money or information, but a better way of knowing what it means — of interpreting the data to discover an unknown attack as it happens or, even better, anticipate the next attack.

What if we rank organizations by the effectiveness of their security? Then those who rank poorly will have incentive to learn from those who rank well.

The article emphasizes visual aids:

The solution lies in finding a way to examine the data so that analysts can quickly identify suspicious patterns. Instead of programs to generate more data, we need different tools to understand them. And it turns out that the best tools are right in our heads: our eyes.

Those are good, too, and something as simple as line graphs comparing different organizations can help. See SpamRankings.net.