Information security (InfoSec) is about the processes and tools used to protect information.  Evidence-based information security is precisely as stated, information security supported by evidence. In the context of the cyber ecosystem, organizations must protect their information assets and guard themselves from being the enabler or target victims of malevolent cyber criminals.

“Everybody is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid.”        – a quote by Albert Einstein

This quote in context to the challenges of keeping information secure in a constantly evolving threat landscape, organizations are cognizant of how a breach will cast judgement in their ability in keeping information secure. Awareness on the impact of breaches has influenced costly investments due to pressure driven sales pitches marketing promises of a silver bullet solution. 

Security is about people and processes. The best return on investment is when the security tools enhance the breadth of the organization’s resources and the solution’s capabilities are designed to provide  operations and management with quantifiable performance metrics on the security controls. 

 Evidence based information security is essential for effective risk management.