Blog

Activity metrics are useful only to prove that you’re doing something, but they don’t show how effective that activity is. Everything that gets presented to the board has to have a clear link back to business value and business strategy. "If a metric changes and you...

A solid, standardized framework will answer many questions about how secure you are, but tracking the right metrics will drive your understanding deeper. Your basic message to executives should be that secure systems are what make it possible to continue growing the...

The executive committee is interested in the anticipated outcomes of resource allocations. There are instances where security teams deal in qualitative evaluation, but remember that the executive committee wants quantifiable answers based on quantitative metrics....

Software is now running our world. If we don’t create and deploy secure software, we are creating massive attack surfaces for ourselves. Most government agencies are not driven by a need to achieve a certain security posture. Rather, they’re driven by mandates to be...

Choose metrics purposefully. Tracking unapproved configuration changes makes sense; tracking the number of antivirus installations probably doesn’t. CISOs should constantly chart their IT environment and keep tracked metrics close at hand, to be communicated at a...

To determine the best security metrics for your organization, gather quality intelligence on the internal and external threats unique to your environment. When communicating your company’s security posture to the CEO, use specific examples that are supported by data...

The CISO should be prepared to answer a CEO’s questions using metrics on the applications, processes, and end users that matter most. The CISO must play educator to the CEO as well as the other key end users. Metrics are an important way to ensure that the word is...

The CEO is looking to the CISO and the CISO’s organization to adequately assess the risk and prioritize it. Rather than reporting on the ROI for one piece of equipment, it’s best to present the board with information showing how the investment has affected the...

Tracking metrics in terms of averages rather than raw vulnerability counts is a great way to keep security improvements in perspective. Becoming totally secure is an elusive if not impossible goal. The real point is to show continuous evolution and improvement. "We...

Tracking externally reported incidents will help you determine whether your security preparedness is trending in the right direction. Don’t try to tell the whole story verbally. A data-rich trend graph can be much more compelling and convincing than any speech. "Right...