We’re always trying to get closer to developing more useful security metrics, and examining analogies provides a way to relate these measurements and metrics to things we already know (and that we perceive as being done and measured well). I like good analogies, but I don’t want to be limited by not-so-good ones.
“Flying an airplane” is one such analogy (it is used in various books, articles, discussions, etc.) The idea is that keeping systems up and running is operationally similar to flying an airplane: the gauges and indicators help pilots to safely fly. Similarly, SIEM, AV, IDS, and other security controls provide ways for IT to keep an eye on their systems. But I’m concerned the analogy misses some important consideration:
- Preventing airplanes from crashing due to pilot error or mechanical failure is different from protecting it from intentional acts to crash it. This is much like “oil changes” don’t covering predictions related to people pouring sugar in the fuel tank (which extends to random failures and intentional attack differences in IT).
- Preventing airplanes from crashing is not just related to flying – it’s also related to building airplanes correctly, and to maintaining them the right way. Likewise, running IT systems is only a piece of “doing” IT, where the security is built in and then maintained.
- Preventing airplanes from crashing is also not done in isolation: there are many, many airplanes in the sky at any moment. The complexity of IT systems (which are systems of systems) also does not lend itself to an isolated analysis.
- But most importantly, preventing airplanes from crashing is a small operational aspect of something larger. Airplanes, after all, do not exist just to fly. They exist to transport people and things from point A to point B. This is just like IT systems not existing just to run, but to support a business (process).
So I would argue that what we’re really trying to do is “run the airline.” What do you think?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.