In this recent article published by USENIX, one of the most highly respected communities for engineers, system administrators, scientists, and technicians, co-authors Dan Geer (Senior Fellow at In-Q-Tel and widely recognized technology security expert and risk management specialist) and Jason Crabtree (CEO and co-founder of QOMPLX), explain in real-world terms why it is essential that we reclaim metrics.
The column details the explosion of interest in measuring and reporting on security, where many ongoing initiatives lack a common frame of reference for understanding the field. Geer and Crabtree note that “we are too often speaking past one another—even more so as information technology, business, legal, and other professions collide.” A common set of terms and a robust ontology for cyber security and technology risk more broadly is urgently needed to support individual organizations and our broader communities in their local and systemic risk identification, quantification, and management initiatives.
We're excited to share more of the thinking that helped launch QOMPLX. Our entire company was actually founded to help organizations navigate the tremendous complexity of today’s interconnected world so that they can achieve superior focus on critical and unique business priorities while benefiting from more shared tooling, infrastructure, data and models to aid operations, risk management and address issues like systemic risk within their communities. And given that systemic risk analysis requires incorporating data from multiple entities, it is essential for organizations to embrace common data models and a consistent ontological framework to aid in common understanding, reasoning, and communication. QOMPLX has been working on the core issues highlighted in this paper since 2015 and was founded to help support continuous monitoring of complex networks leveraging diverse data feeds with security metrics and decisions capable of being supported by a common data fusion factory with increasingly interoperable detections, models, and simulations.
We’ve dedicated ourselves to unified enterprise analytics and robust data models – this work is absolutely critical to enabling consistency and collaboration in our community of information security and risk practitioners.