There is an old Peanuts strip where Charlie Brown says, "Working here is like wetting your pants in the pool, wearing a dark bathing suit. You get that warm feeling but nobody notices." Increasingly, I think computer security professionals in large enterprises are in that metaphorical swimming pool. In fact, many are swimming in the deep end without their water wings.
When computer security professionals do an excellent job protecting systems and information, the number of bad outcomes decreases. After a generation of peace, pretty soon people start asking why we need the army. I believe this problem stems in part from a fuzzy fundamental: the definition of information security.
What is information security? Is it, as one would have to conclude from a broad survey of published material, all about Confidentiality, Integrity and Availability (CIA)? There may be no one who says, "information security = CIA." Certainly, infosec=CIA cannot be true in the canonical sense. To measure infosec, one must measure the elements of CIA; measurements that are elusive. The bottom line is that we do not have generally accepted measurements of confidentiality, integrity and availability, other than the raw count of damaging incidents along with tenuous estimates of the damage. When the number of damaging incidents drops due to an effective infosec program, the measurement problem increases. No incidents means no 'before' and 'after' pictures and no measurable return from the avoidance of incidents. Make no mistake; big money is being spent on information security. IDC recently put the total at $17 billion annually in 2001 for infosec products and services in the US, growing to a projected $45 billion estimated by 2006 [1]. Many firms, especially large financial institutions, are spending upwards of 2% of total IT budgets directly on information security. As