Someone recently pointed out an article to me: ‘Big 12 beats Ivy League – in cybersecurity’
I didn’t realize that there was a competition between schools as to who does better security. I know that we are competing with the bad guys, that is obvious, but now I have to worry about beating out my friends – and I thought that we were in this together.
One of the best things about working in higher education is the community of smart people sharing information on how to solve very hard problems without huge resources. Now, along comes this magazine trying to get us to compete on our security score, which is being put out there by a company that seems to be selling security scores.
I, for one, refuse to be manipulated into this reality TV-like competition.
I see these ridiculous shows on TV (I guess I really am getting old) and I wonder what the entertainment value is in turning everything into a competition. One of the things I have learned is that in order for a fight to be fair, you need to make sure that the two sides are evenly matched.
Computer security is, at best, a street fight with the bad guys having a huge advantage. I think that if we have any hope in holding our own, never mind winning, we all need to work together, pool our knowledge and make sure that we are all working toward the same goal.
I am not saying that a little friendly competition is a bad thing, but I don’t really see the value in splashy headlines making it look like we are trying to compete. I have this crazy idea that the good guys should be working together to pool our collective knowledge resources to try and make a dent in what appears to be a losing battle.
Our biggest problem is that we (security people) need to be right 100 percent of the time and the bad guys only need to be right once. I don’t like the odds, and I bet that none of the good guys reading this like them either.
One of the things that I believe is essential for any good security program is metrics – if you are not keeping track of how you are doing, it is not really possible to improve.
I think that if you really want to compete with someone, you should be spending the time and resources to build a security metrics program that will allow you to compete with yourself – see if you can improve your statistics over time. To me, this would be a big win.
I do see how stopping a few additional bad guys would not garner additional views and advertising revenue for an online magazine, but the reality is, that is not what I am getting paid to do. Besides, how many of you actually believe that the best way to find a mate is to go on TV?