Blog

Tracking metrics in terms of averages rather than raw vulnerability counts is a great way to keep security improvements in perspective. Becoming totally secure is an elusive if not impossible goal. The real point is to show continuous evolution and improvement. "We...

Tracking externally reported incidents will help you determine whether your security preparedness is trending in the right direction. Don’t try to tell the whole story verbally. A data-rich trend graph can be much more compelling and convincing than any speech. "Right...

Before your metrics monitoring can even begin, you must first decide the IT security priorities for your organization. The information security metrics that senior leaders tend to cherish most are those that show them how their business stacks up against their...

In many cases, board and CEO presentations focus on particular issues they must address or decisions they need to make. To make a decision, the board needs security information in the context of risk, risk mitigation, and costs associated with eliminating that kind of...

To work in the boardroom, metrics must encapsulate the business’ security posture, and that’s not always so easy to do. The best way to validate your security metrics is through third-party risk assessment and penetration testing. "Just looking at these vulnerability...

Metrics are useful for gathering information about vulnerabilities, but until those metrics are distilled into something the CEO understands, they’re nothing more than numbers. Stay away from large, raw metrics. Instead, present security and vulnerabilities as a scale...

Focusing on metrics just to have metrics won’t help keep an organization secure. Instead, the focus should be on metrics that are specific to the company. Focus on metrics that you can track and improve consistently over time rather than focusing on whatever metrics...

The question of ‘how secure are we’ can only be answered in the context of identified risk. When we talk about security, we aren’t talking about objective, probabilistic events. "As important as compliance is, being compliant does not equate to being secure." Security...

With companies depending more and more on outsourced software products, cloud-based services, and partner relationships, those connections become potential vulnerabilities. CEOs need to understand vendor and product risks from a business decision-making perspective....

To determine which security metrics are important to measure, you must first understand your risks and define goals for addressing them. The human aspect of cybersecurity risk management, including awareness training and policy compliance, is especially important to...