IT Security On the Road: Life by the Numbers

Oct. 27, 2008
Tracking your progress is essential, both in life and in security

As the weather cools down, I find I have a little more time to work on one of my favorite hobbies: the guitar. I like to take songs my wife and I enjoy and work them up to play around the fireplace or out on the patio. Today, I am learning Stevie Ray Vaughan's Life by the Drop. It is a song he wrote and performed shortly before his tragic and untimely death in a helicopter accident. The song showcases his struggle to overcome alcohol and drug addiction, a debilitating and far too common ailment among professional musicians. He had just managed to clean up his life before his immense musical talent was taken from us.

As I play the song, I can hear how deeply alcohol controlled his everyday affairs—in his words, how he was living life by the drop. I mused over this concept as I glanced at the blood glucose meter I now use to take blood droplets and check my glucose levels. I am not yet diabetic, but I was given a wake-up call by my doctor when the results of a blood test showed I was soon going to be another victim of Type 2 diabetes, also known as adult onset diabetes.

As I walked out of my doctor's office with the test results, I vowed to learn everything I could about the condition before submitting to any type of treatment. The research that followed taught me that bad dietary habits and excess weight contribute to Type 2 diabetes, which is becoming epidemic in this country. Whether I was on medicine or not, I would have to adapt my nutritional intake, lose weight, and get more exercise.

Before opting for treatment, I set out to see what these personal actions could accomplish without medication. I now check my glucose numbers during the day. Stevie Ray's drops are my numbers. I am living my life by the numbers.

In addition to the glucose readings, my numbers include my weight and blood pressure reading. My doctor always collected these numbers, so I was determined to pay more attention to them myself. In addition to the blood glucose meter, I obtained a blood pressure cuff and an accurate scale. Then I took a baseline snapshot of these readings that I would be deeply embarrassed to share with you here.

After getting a good gym membership to augment my dietary changes, I found I had more key numbers to track. At the gym, I would need to monitor the time I spent working my heart rate at 60 to 75 percent of the maximum for my age. Three times a week, I also needed to add weight training to enhance my core muscles and build strength in my arms and legs. I decided to create a personal log to track my progress.

The issue of what to eat was a bit more complex. A few years ago, the high-protein, low-carbohydrate craze grabbed my attention, and I looked into Dr Atkins' program. I should have been suspicious of a diet that allowed me a couple of martinis before a dinner of giant rib eye steak and asparagus drenched in Hollandaise sauce. I had difficulty losing weight with that approach.

My research into the dietary dynamics of diabetes revealed the critical role of foods with low glycemic index loading—another number to track. Based on this information, I created a nutritional program to ensure I had a diet made up of a high intake of low GI carbohydrates, low fat, and high protein content. I built a plan to meet these empirical requirements and now follow it in a daily food planner.

I'm glad to report that all this number crunching is working amazingly well. I dropped 20 pounds the first six weeks. Within that time, my blood glucose levels returned to their normal range. I was also able to eliminate one of the two medications I had been taking to control my blood pressure. I have been enjoying significantly better sleep, and my resting heart rate is now low for a man my age.

Yesterday, I met with my doctor. She hadn't seen me since her diagnosis, and I smugly noted a look of mild surprise when she came into the examination room. She said she was concerned when I had made the appointment; she naturally assumed I had called to begin a regimen of medication to manage diabetes. Instead, she was able to eliminate one of my blood pressure medications and decrease the dosage of the other. There was no need to treat the waning diabetes issue.

When she asked what I had done to effect such a dramatic change, I explained I had decided to take ownership of my health situation, and I had decided to track my progress with numbers I could record and monitor: life by the numbers. She laughed and explained that was how she was tracking my healthcare needs, but that she could only react to what I choose to do with the time between our visits. Only I could take preventive action.

So as I progress through what I pray are my late middle years, I have metrics to track my progress. I have set goals with those numbers. I can then track my ability to obtain those goals with day-by-day monitoring of all the factors that make up the nebulous concept of health. It is hard to say you want to be healthy when you don't have a way to actually determine where you are and where you want to be. It is much easier to determine what factors comprise your health, and then define those empirical metrics you need to set goals and track your progress. For me, those metrics now include my weight, blood pressure, blood glucose levels, and amount of cardio and strength training.

The same challenge exists for security professionals. The concept of security is an ideal. You cannot measure security. You can, however, measure risk. Like those numbers that now track my journey toward better health, you need to research what metrics you need to record and monitor to set goals and track your progress toward more effective security.

There are four primary elements of risk management: threats, vulnerabilities, assets, and safeguards. You realize a risk when the three elements of threat, vulnerability, and asset are present. You mitigate these risks with safeguards. So at a minimum, you need to develop metrics to track at least the four basic elements. Within each element, there may be other tools to employ and numbers you would find valuable to record. These allow you to establish empirical thresholds, baselines and goals. Once you have these established, it is critical to institute tools to track your progress.

In addition to tracking your progress, these tools are most often effective for reporting the state of security for decision makers in your organization. They will undoubtedly ask the thorny question: “Are we secure?” You can quickly and effectively respond by educating them on the importance of your empirical risk management, and demonstrably depict your goals and the progress you are making to meeting them. Your job will become much more manageable when you have the proper tools to measure organizational risk.

I found out I couldn't effectively manage my health with just the nebulous concepts of “healthy” versus “unhealthy.” I had to do research to find a set of metrics I could use to set goals and track my progress. Now I feel I am on the proper path to enjoying my later years. If you cannot measure something, you cannot manage it. It is the same with security. You can live life by numbers, and security by the numbers makes good sense as well.

John McCumber is a security and risk professional. He is the author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology from Auerbach Publications. Mr. McCumber can be reached at [email protected].

About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].