The bloggiste at Layer 8 just declared Security Metrics to be “That Good”. I have no idea who shrdlu actually is. But whomever she is, she deserves a hearty thank-you and an offer of a beer should we ever meet in person. Here is a snippet of what she said:
I have found the Metrics Prophet for our times, and his name is Andrew Jaquith.
I stumbled home yesterday from work, sleep-deprived, jittery, and feverish from an oncoming cold. I tucked myself into bed, hoping to sleep—but I could not sleep until I had read Security Metrics cover to cover. It was That Good.
Now, either that makes me the biggest saddo anorak west of the Pond, or it means Jaquith is an extraordinary writer about what would otherwise be an extremely dull subject. I would of course prefer to think it’s the latter, and I’m sure he would too.
First off, his writing is chock full of playfulness and amusing literacy, from the literary nods (“Call me Analyst.”) to the rimshots ("… the top and bottom 50% are divided by—wait for it—the median!").
Secondly, his metrics are for the most part accessible, meaning that as soon as I see them, I think, “Yeah, I could get those!” And a whole lot of them are ones I’d already thought of, but there are a few gems in there that were like little Altoids in my mouth, that made me sit up and go, “Whoa.”
You can see the rest of her review on her website. If you are thinking of buying the book, her comments should give you an idea of what is inside. She has some excellent and perceptive constructive criticisms also, which are all on target.
Ms Shrdlu, thanks very much for the kind words. I especially appreciate that she caught my nod to Herman Melville in the first line of the book (“Call me Analyst.”).