Blog

Choose metrics purposefully. Tracking unapproved configuration changes makes sense; tracking the number of antivirus installations probably doesn’t. CISOs should constantly chart their IT environment and keep tracked metrics close at hand, to be communicated at a...

To determine the best security metrics for your organization, gather quality intelligence on the internal and external threats unique to your environment. When communicating your company’s security posture to the CEO, use specific examples that are supported by data...

The CISO should be prepared to answer a CEO’s questions using metrics on the applications, processes, and end users that matter most. The CISO must play educator to the CEO as well as the other key end users. Metrics are an important way to ensure that the word is...

The CEO is looking to the CISO and the CISO’s organization to adequately assess the risk and prioritize it. Rather than reporting on the ROI for one piece of equipment, it’s best to present the board with information showing how the investment has affected the...

Tracking metrics in terms of averages rather than raw vulnerability counts is a great way to keep security improvements in perspective. Becoming totally secure is an elusive if not impossible goal. The real point is to show continuous evolution and improvement. "We...

Tracking externally reported incidents will help you determine whether your security preparedness is trending in the right direction. Don’t try to tell the whole story verbally. A data-rich trend graph can be much more compelling and convincing than any speech. "Right...

Before your metrics monitoring can even begin, you must first decide the IT security priorities for your organization. The information security metrics that senior leaders tend to cherish most are those that show them how their business stacks up against their...

In many cases, board and CEO presentations focus on particular issues they must address or decisions they need to make. To make a decision, the board needs security information in the context of risk, risk mitigation, and costs associated with eliminating that kind of...

To work in the boardroom, metrics must encapsulate the business’ security posture, and that’s not always so easy to do. The best way to validate your security metrics is through third-party risk assessment and penetration testing. "Just looking at these vulnerability...

Metrics are useful for gathering information about vulnerabilities, but until those metrics are distilled into something the CEO understands, they’re nothing more than numbers. Stay away from large, raw metrics. Instead, present security and vulnerabilities as a scale...