Richard Bejtlich has posted recently a comparison of current information security practices to the times of Galileo. Rather than listen to the same old rhetoric and belief, Galileo centered his claims on empirical (measured) evidence. This sounds similar to the concept of “management by fact” (which Bejtlich has posted on previously as well). I think there is a lot of merit in measuring what we do in infosec and then managing by fact.

I do, however, have one minor criticism of this approach, while not actually disagreeing at all with Bejtlich.

Galileo used measurements to shatter beliefs, but many things that seem like beliefs in infosec may well have been at one time or still are based on measurements (the validity of the measurements may be suspect, however!).

Would it be management by belief if 50 companies reported measured success with a password policy, and I simply accepted that conclusion and implemented it? Or that patching within 30 days didn’t help 500 incidents so why bother? Holding too firmly to the Galileo example (management by fact) may end up insinuating that unless you personally have made the measurements, then everything else is belief. But not everyone has a big telescope.

This might be a discussion on the validity of statistics versus facts versus belief versus best practices versus risk…

Galileo benefitted from two things that we do not have. A) Nothing he nor anyone else did would change the a priori truth that the Earth revolved around the Sun. People just had to measure it correctly. B) No one had provided the proper measurements before. At all. We don’t have the assurances of A in infosec, nor are we forging absolutely new ground like B.

Now, while I offer up the above, I don’t say that companies should get away with not measuring their own implementations, not at all! I just don’t want to too stubbornly go down a road that leads to an egocentric security stance that may or may not be right.

Maybe because of A this is a discussion that needs to branch into two directions and not mix the two: macroscopic infosec and microscopic infosec. Macroscopic infosec would deal with large entities and their interactions (ISPs, global security, standards, compliance, or universal practices that everyone should pay attention to). Microscopic infosec may be dealing with what one company implements within its virtual walls, how it measures it, and manages by fact.