I read a Linkedin post yesterday from Mike Ebbers ( post ) postulating how we might make a comparison between law enforcement and information security personnel. His basic premise is law enforcement does not prevent 100% of crime, but they are not “fired” for not meeting this unattainable goal. So, why are company IT security personnel not held to the same standard?

After all is it realistic to expect our security teams to have a 100% prevent defense? Since, I served time in the law enforcement/intelligence field ( read my story on Linkedin ) this post resonated with me.

Our firm works with security teams in enterprises every day and I can tell you they are dedicated, trained, passionate and STRESSED to the hilt on getting things right. From having the right “tools”, meeting business driven metrics, adhering to overwhelming compliance and regulations to keeping up with all the “new shiny security objects” and the associated noise in the market. Plus, add in the continued bad habits of employees that lead to security risks.  It’s no wonder the average life span of a CISO is 2-3 years.

So, what do businesses do to support their security teams and provide realistic and acceptable metrics that have some relevant measurements? Mike’s proposal to define acceptable metrics is a start. How about developing a “risk register” at the business level that drives those metrics and identifies severity of risk and possible solutions that can be applied. We usually ask clients if they have a risk register and often it is “NO”.

Maybe do what Steve Cohen wanted to do when he started up his new investment firm (after being the subject of a SEC probe of criminal behavior) look to hire former law enforcement article 

What do you think?