Ramon Krikken

A member of the Gartner Blog Network

Ramon Krikken
BG Analyst
2 years at Gartner
15 years IT industry

Ramon Krikken is an analyst in the Gartner IT1 Security and Risk Management Strategies team. He covers software/application security; service-oriented architecture (SOA) security; structured and unstructured data security management, including data masking, redaction and tokenization...Read Full Bio

Coverage Areas:

Are You Flying the Airplane, or Running the Airline?

by Ramon Krikken  |  May 3, 2012  |  1 Comment

We’re always trying to get closer to developing more useful security metrics, and examining analogies provides a way to relate these measurements and metrics to things we already know (and that we perceive as being done and measured well). I like good analogies, but I don’t want to be limited by not-so-good ones.

“Flying an airplane” is one such analogy (it is used in various books, articles, discussions, etc.) The idea is that keeping systems up and running is operationally similar to flying an airplane: the gauges and indicators help pilots to safely fly. Similarly, SIEM, AV, IDS, and other security controls provide ways for IT to keep an eye on their systems. But I’m concerned the analogy misses some important consideration:

  • Preventing airplanes from crashing due to pilot error or mechanical failure is different from protecting it from intentional acts to crash it. This is much like “oil changes” don’t covering predictions related to people pouring sugar in the fuel tank (which extends to random failures and intentional attack differences in IT).
  • Preventing airplanes from crashing is not just related to flying – it’s also related to building airplanes correctly, and to maintaining them the right way. Likewise, running IT systems is only a piece of “doing” IT, where the security is built in and then maintained.
  • Preventing airplanes from crashing is also not done in isolation: there are many, many airplanes in the sky at any moment. The complexity of IT systems (which are systems of systems) also does not lend itself to an isolated analysis.
  • But most importantly, preventing airplanes from crashing is a small operational aspect of something larger. Airplanes, after all, do not exist just to fly. They exist to transport people and things from point A to point B. This is just like IT systems not existing just to run, but to support a business (process).

So I would argue that what we’re really trying to do is “run the airline.” What do you think?

1 Comment »

Category: Security     Tags: , , , , , , , , , ,

1 response so far ↓

  • 1 Vicente Aceituno Canal   May 5, 2012 at 5:18 am

    I agree with you. Actually, my main criticism of most security metrics proposals and discussions is that many security professionals neglect the “Run the Airline” metrics, what I call security management metrics. The Open Group’s O-ISM3 uses “Run the Airline” metrics, and it is becoming more and more popular for this reason…