One of the best blog posts I read from last week was the "Consensus Audit Guidelines are still controls" from Richard Bejtlich. I really like that he is looking at some suggestions (in this case, the CAG) and pointing that's just controls, there is nothing about measuring the outputs. That goes directly to the heart of the metrics issue, it's still very hard to measure success in information security. For instance, each control from the
CAG, BSIMM and field-assessed security
CAG, BSIMM and field-assessed security
CAG, BSIMM and field-assessed security
One of the best blog posts I read from last week was the "Consensus Audit Guidelines are still controls" from Richard Bejtlich. I really like that he is looking at some suggestions (in this case, the CAG) and pointing that's just controls, there is nothing about measuring the outputs. That goes directly to the heart of the metrics issue, it's still very hard to measure success in information security. For instance, each control from the