Why is so much of technology security such a mystery? In particular, why does it have so few metrics?
I get it. For any given company, if there hasn’t been a breach lately, it’s assumed that defenses must be working. But shouldn’t there be better measurements of effectiveness? Some level of business accountability? A basic ROI calculation? Consider the size of the security budget: Gartner projects that global spending on information security products and services will exceed $93 billion in 2018 alone, and that number keeps growing.