Wednesday, January 21, 2009
from the other side
I'm usually ranting here about the usage of statistics, risk metrics and other quantitative approaches (as ROI) to support security decisions. Well, there is a small but very smart comment from Lindstrom regarding some of "our" arguments against those methods. I completely agree with him. That's why this blog is named "Security Balance", it's my statement that we need to pursue the balance between different approaches (security / productivity, quantitative / qualitative, network / endpoint, prevention / detection, awareness / enforcement) to achieve the best possible results. Usually my criticism over a specific subject is related to an excessive confidence about its importance of effectiveness, and it should not be taken as a suggestion to completely drop that in favor of the other side. Balance is the key to better security.