Excuses Not to Use CVSS

I have always been a fan of the good work done by the CVSS folks. I have an obvious reason to like CVSS, of course: namely, to cheer on a former co-worker, Mike “Shifty” Schiffman, who was of the first version’s authors. But more than that, I like CVSS because it is a bold attempt to create a scoring system for vulnerabilities that is objective and independent of any single vendor’s spin. As an industry, we need this. I reference, and commend, CVSS in my book Security Metrics.

Today, Computerworld reports that CVSS version2 is now out. That’s great news; congratulations to Gavin and the rest of the team. I hope Microsoft and other vendors actually start using it.

One thing about that Computerworld story that annoyed me, however, was Robert Beggs’ comment that enterprises shouldn’t use CVSS to “manage by the numbers.” Specific critiques of CVSS aside, why shouldn’t we do that? Isn’t that the point of measuring things? I guess we should manage by voodoo instead.

Honestly, I find comments like this exasperating. On the other hand, you never know what a reporter is going to pick up on and write in a column. I’ve said some damned silly things, as throwaways, that were printed. (My comment to InformationWeek’s Marty Garvey, calling Mozilla’s tabbed browsing feature “the best thing since sliced bread,” is one such stinker that got printed.)

More from Markerbench

Andrew Jaquith

Talking to Executives About Cyber and Technology Risks

Senior managers talk about risks, and not about threats or controls. To have better conversations with senior leaders, focus where the risks are coming from, and why. This post offers a vocabulary for talking about cyber- and technology-related risks and their causes.

11 min read ∙ January 31, 2024

Andrew Jaquith

Who Killed the Perimeter? Some Clues.

Enterprise network perimeters have been disappearing: at first slowly, and then suddenly, all at once and at knifepoint. If this were a game of Clue, I’d accuse the Ransomware Actor, on the Edge Device, with the Zero-Day.

9 min read ∙ November 14, 2023

Andrew Jaquith

Microsoft to CIOs: Drop Dead

Microsoft’s new advice for securing Active Directory does customers a disservice by focusing on the wrong things. Tomorrow’s “Zero Trust” and Azure roadmaps won’t stop today’s ransomware epidemic. Enterprises need to protect the Active Directory they’ve already got.

7 min read ∙ December 22, 2020

Andrew Jaquith

Five Lessons from a Decade of Security Metrics

The data revolution sweeping over IT has come to cybersecurity. CISOs can learn from their success disasters, instrument their controls, and write key risk indicators (KRIs) that resonate with their audiences.

20 min read ∙ March 21, 2019

Andrew Jaquith

The Twenty-Year War on Cybercrime

Digital crime is on the rise. To defeat it, defenders need to scale up, gain the full picture of risk, and heed the lessons of John Boyd.

18 min read ∙ June 6, 2015

Andrew Jaquith

Escaping the Hamster Wheel of Pain

Security shouldn’t be an endless patch-and-pray exercise. Metrics offer a way out.

9 min read ∙ May 4, 2005