In The Book of Risk, Dan Borge writes that "the purpose of risk management is to change the future, not to explain the past." The subtitle of Andrew Jaquith's book is "Replacing Fear, Uncertainty, and Doubt" and that is a clear description of the purpose of security metrics. Phil and Scott are joined by Andrew, as well as Daniel Geer, Vice President and Chief Scientist of Verdasys. The group discuss the concepts and purpose of metrics in security management.
Andrew and Dan first review their backgrounds and what led them to become involved in technology security. They talk about how they quickly discovered that it was important to quantify security issues, particularly as a way to better predict future problems. Jaquith also discusses his book in detail, starting with the concept of the "Hamster Wheel of Pain". They assess why people fail to properly measure security as well as what makes a good metric.
Andrew Jaquith is the program manager for Yankee Group’s Enabling Technologies Enterprise group, with expertise in compliance, security, and risk management. Jaquith advises enterprise clients on how to manage security resources in their environments. He also helps security vendors develop strategies for reaching enterprise customers. Jaquith’s research focuses on topics such as security management, risk management, and packaged and custom web-based applications.
Jaquith has 15 years of IT experience. Before joining Yankee Group, he cofounded and served as program director at @stake, Inc., a security consulting pioneer, which Symantec Corporation acquired in 2004. Before @stake, Jaquith held project manager and business analyst positions at Cambridge Technology Partners and FedEx Corporation. His application security and metrics research has been featured in CIO, CSO, InformationWeek, IEEE Security and Privacy, and The Economist. In addition, Jaquith contributes to several security-related open-source projects. Jaquith holds a B.A. degree in economics and political science from Yale University.
Daniel Geer is Vice President and Chief Scientist of Verdasys. Previously, Dr. Geer served as CTO of @stake, a leading digital security consulting firm. Dr. Geer also ran the development arm of MIT's Project Athena, where his staff on his watch pioneered Kerberos, the X Window System, and much of what we take for granted in distributed computing. In past positions as a consultant and an officer in a number of startups, he has provided industry leaders with high-level strategies in all matters of digital security and in promising areas of security research. He is a widely noted author in scientific journals and the technology press, and has co-authored several books on risk management and information security.
Dr. Geer has testified before Congress on multiple occasions and has served in formal advisory roles for the Federal Trade Commission, the National Science Foundation, the Treasury Department, the National Research Council, the Commonwealth of Massachusetts , the Department of Defense, the National Institute of Justice and the Institute for Information Infrastructure Protection.
Dr. Geer holds several security patents, and received an ScD. in biostatistics from Harvard and an S.B. in electrical engineering from MIT. He serves both fiduciary and non-fiduciary roles for a number of promising startups. He is also past president of the USENIX Association.
This free podcast is from our Technometria with Phil Windley series.