When Successful Security Measures Are Taken For Granted

When information security controls consistently protect networks, systems or applications, then there is the risk that the defenses they provide might be taken for granted. The executives might wonder, “We haven’t had any breaches in recently. Why do we need a CISO?” Home users might muse, “Why do I need an antivirus tool if I’ve been malware-free for months?”

How might we preclude information security successes from leading organizations and individuals towards complacency? How can we make sure that the safeguards continue to be valued by their beneficiaries?

One way to mitigate the risk that the security measures will be taken for granted is to collect meaningful metrics that show that the safeguards are active and provide value. Determining what metrics to collect and how to do it is hard, and a good way to start learning about this topic might be Andrew Jaquith’s iconic book Security Metrics: Replacing Fear, Uncertainty, and Doubt.

The makes of computer security products also need to remind users that the product is active and providing value. The challenge is to do this without annoying the user with frequent and irrelevant prompts. Some of the tools I’ve seen accomplish this by presenting the user with periodic activity reports, summarizing the number of blocked intrusion or infections attempts. Though the numbers in such reports are rarely meaningful for people, they act as reminders that the system is being protected.

Both metrics and activity reports can be an opportunity to not only show that safeguards are in place, but also help the audience judge whether the controls are in need of tuning. This might also be a chance to educate the audience how to improve security posture even further.

For instance, an antivirus tool might report on the number of times the user clicked links embedded in email messages and explain the risks of this behavior. This would allow the product to not only remind the user that the protection is active, but also provide additional value through education. A CISO might show an increased percentage in security patch coverage in a given department, using it as an opportunity to gain support for expanding the program to other groups.

Hand-picked related posts:

Lenny Zeltser


About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more