Blog

A set of security metrics can give you a picture of the state of your security, but it doesn’t necessarily give you the whole picture. For that, use metrics to create and illustrate trends over time. At the board level, security metrics are just noise. Instead, use...

Choose metrics that you can communicate simply, directly, and cogently to busy executives, and make sure the metrics address real business issues. If leadership can relate to your work as a CISO, you’ll come out much farther ahead. "When you’re talking risk and...

Activity metrics are useful only to prove that you’re doing something, but they don’t show how effective that activity is. Everything that gets presented to the board has to have a clear link back to business value and business strategy. "If a metric changes and you...

A solid, standardized framework will answer many questions about how secure you are, but tracking the right metrics will drive your understanding deeper. Your basic message to executives should be that secure systems are what make it possible to continue growing the...

The executive committee is interested in the anticipated outcomes of resource allocations. There are instances where security teams deal in qualitative evaluation, but remember that the executive committee wants quantifiable answers based on quantitative metrics....

Software is now running our world. If we don’t create and deploy secure software, we are creating massive attack surfaces for ourselves. Most government agencies are not driven by a need to achieve a certain security posture. Rather, they’re driven by mandates to be...

Choose metrics purposefully. Tracking unapproved configuration changes makes sense; tracking the number of antivirus installations probably doesn’t. CISOs should constantly chart their IT environment and keep tracked metrics close at hand, to be communicated at a...

To determine the best security metrics for your organization, gather quality intelligence on the internal and external threats unique to your environment. When communicating your company’s security posture to the CEO, use specific examples that are supported by data...

The CISO should be prepared to answer a CEO’s questions using metrics on the applications, processes, and end users that matter most. The CISO must play educator to the CEO as well as the other key end users. Metrics are an important way to ensure that the word is...

The CEO is looking to the CISO and the CISO’s organization to adequately assess the risk and prioritize it. Rather than reporting on the ROI for one piece of equipment, it’s best to present the board with information showing how the investment has affected the...