The question inevitably arises, “how best can we secure our organization?” When posing this, many people- even security practitioners- tend to believe there is a concrete and clear answer; in fact, there is not one answer but, instead, a series of answers that in toto help organizations decrease their chance of both being attacked and of the attacks being serious or game-changing.
Clearly, data has a role to play in formulating security strategies but once again, the ways in which data is used in the security space are not always consistent or even particularly useful.
At the outset, it is key to remember that the security practice in your organization does not sit atomically, disconnected from the larger goals of the organization. With regard to your security practice therefore, it is crucial to align your data analysis goals with whatever risk management framework the organization as a whole is using. You should focus your data collection and analysis on the likeliest and severest risk scenarios for the organization as an entity.
Keep in mind the limits of security-related data collection. You can collect tomes of data but if the analysis does not allow you to make decisions or take actions to mitigate risk, this data becomes “nice to know” but is not particularly or manifestly useful.
Understand that security is not a “point in time” or parenthetical matter but is in fact a core business issue that has to be tended to continuously. Ensure your data gathering and analysis is repeatable and consistent and combines qualitative, quantitative, and readily available sources. If you simply cannot muster good data, consider solutions that will provide this data before proceeding. Don’t indulge in “Security Theater.” It doesn’t do anyone any good and likely will give you a false sense of safety.
Data is the Creator and the Destroyer. You need it to run a dynamic and smart security practice but it is not a god to bow to.