Roger A. Grimes recently posted up an article that made a lot of simple sense. He talked about the effect of consistency, even amongst just the basic security principles, and how that can increase security. I really couldn’t agree more. Consistency is highly important. Of course, metrics are important, but also make sure to pick the right ones and be consistent with them as well.
How many of us work in computer security environments where basic
security recommendations are not applied consistently? I think it is
nearly impossible to find a company that consistently and universally
applies basic security tenets. So, we have inconsistencies, cracks in
the system, and bad things are allowed to occur. The very human nature
of purposefully allowing inconsistency as a norm leads to below-average
outcomes. Taking a personal and institutionalized interest in applying
basic security principles consistently will mitigate more risk and lead
to a more secure environment.