A new movement to encourage sharing of information among trusted users has been launched and is seeking new partners.
Founder Wolfgang Kandek, CTO of Qualys, said that the campaign has stemmed from experiences of security departments typically being policy driven and beholden to following extensive guidelines and not being able to measure programs in a way that is intelligible to their non-technical colleagues.
He said: “We are good at reaching out to people about who is doing security with data as a number of organisations gather data to pilot proposals and know where to go. If you are in financial services you will do reviews and see how the metrics change and see how things are going and we think security should aim to do something similar. Financial services companies are very innovative and I think security can follow that model.”
Kandek told IT Security Guru that the answer is in shifting to data-driven security as by tracking metrics, security professionals around the world have been able to drive behavioural change and ensure that employees embrace security. “We have companies who volunteer information, some anonymously and it is a good thing as it helps others but and you know where you are in the process and assess your values.
“It is intended to show positive things, as most news and data is negative: malware; data breaches; vulnerability – and this is a security posture and it will improve over time. It will help CISOs to judge their performance and monitor their improvements. Moving away from a belief system will help you say to the board that you got better as the amount of vulnerabilities halved and you have an improvement.”
Kandek said that this operation was being done under the Trusted Internet Movement (TIM) banner to make it independent so it is of use to everyone. He said that ten companies had joined the movement since the launch last week and so far, it was working with large companies and government departments. However he was keen to work with small businesses, as many companies say that they have the data and would love to use it to do certain things including measuring their security program.
He said: “The next stage is more data sources, and those doing this are able to say that they are doing this and what they are learning.”
