Oooh, there is a committee formed by some notables to provide suggestions to the new President. My thoughts are mixed on this one.

Then Richard Bejtlich gets involved, suggesting Jacquith’s Security Metrics. Yes, that’s part of it.

This is the world according to rybolov and some responses to the various people:

1. What exactly are you trying to measure? When it comes to the FISMA scores, what are we doing except for “Security management through shame?” Metrics are not effective unless they produce something that is actionable. The metrics should be aimed at questions like “Are we getting the kind of security we would expect for as much as we are spending” or “Is our amount of security spending correct for the level of risk that we have” or even “As a nation, where do we need to be putting in additional controls for high-risk activities?”
2. You need a catalog of controls. It’s that simple, not everyone is a rocket scientist when it comes to enterprise risk management, so you need a set of rules to justify the budget. Yes, there is too much time spent doing that thanks to the 5 layers of oversight on where the money is going.
3. Today’s government CIO and CISO serve in an advisory role with Congress micromanaging their budget. Let’s just say that out of all the criteria for selecting representation in Congress, understanding security budgeting isn’t even on the map. Now how do you expect to win in that environment? You can’t continue to beat up the CIOs and CISOs in the executive branch because of decisions made by the legislative branch. You also can’t expect some things that work in the private sector to work in government because the money trail is very different.
4. You will not accomplish anything with the same people doing the same things. Do you think that with the same people doing $FooFramework instead of a FISMA framework you will still be able to succeed? Basic problem is that we have a higher demand for security people than we have clueful people to fill the gaps. As a result, you have to deal with a high percentage of also-rans and charlatans.
5. How do we get the people trained to where they need to be? We have a significant gap in abilities v/s our needs for security people. I’ve talked about this before. http://www.guerilla-ciso.com/archives/270
6. Network Security Monitoring (NSM) practitioners need to figure out how to market to these people as “yes, I’m a Subject Matter Expert and here’s how I fit into your catalog of controls”. In other words, make it easier for people to justify hiring you guys. A *good* FISMA person could sit down in the course of a couple of hours and give you something to trace you back to 800-53 controls and how you satisfy them. In other words, I think Bejtlich has some phenomenal ideas and I’m fairly sold on NSM, but how do I get people to “buy in” when they have all these other ideas competing for people, time, and money?
7. NSM guys need to make contacts with the people who write the framework and convince them that what they do has merit and that the framework should be changed to include the parts of NSM that aren’t already there. Remember my audience is Congress, how do I justify the money to get NSM implemented? Well, I get it added to the rules or I tell people how NSM is implied in the rules.

• Ack! With the Mandates!
• It’s All About Common Controls!
• Do You “Do It” or Do You “Get It”?
• An Open Letter to NIST About SP 800-30
• Core Belief #4 — Compliance is a Dead-End