Evidence Based SecurityCheck out “The Need for Evidence Based Security” by Chris Frenz.
As security professionals, have we ever sat down and truly made an effort to empirically determine what controls are actually effective in our environment and what controls do very little to protect our environment or, worse yet, actually work to undermine our security.
That's from The Need for Evidence Based Security, by Chris Frenz, is worth reading.
His focus on moving from compliance with untested standards to demonstrating effectiveness is very welcome, and I appreciate the tie to evidence based medicine for his audience.
Go have a look.