Andrew Storms: Define Security Metrics That Are Valuable Across the C-Suite
Focusing on metrics just to have metrics won’t help keep an organization secure. Instead, the focus should be on metrics that are specific to the company. Focus on metrics that you can track and improve consistently over time rather than focusing on whatever metrics...
Chris Mark: Security Metrics Make Sense Only in the Context of Risk
The question of ‘how secure are we’ can only be answered in the context of identified risk. When we talk about security, we aren’t talking about objective, probabilistic events. "As important as compliance is, being compliant does not equate to being secure." Security...
Jake Kouns: To Be Thorough, Include Vendor Security Metrics
With companies depending more and more on outsourced software products, cloud-based services, and partner relationships, those connections become potential vulnerabilities. CEOs need to understand vendor and product risks from a business decision-making perspective....
Robin “Montana” Williams: A Strategic Approach to Understanding and Measuring Cybersecurity Risk
To determine which security metrics are important to measure, you must first understand your risks and define goals for addressing them. The human aspect of cybersecurity risk management, including awareness training and policy compliance, is especially important to...
Daniel Riedel: Security Metrics Help CEOs Balance the Cost of Loss Against the Cost of Protection
Risk–cost awareness provides guidance on how to allocate resources to secure the enterprise infrastructure. With risk–cost awareness, it’s possible to communicate security metrics to the CEO or board in terms that enable them to make the necessary financial decisions....
Charles Tholen: Security Metrics Need to Show That Things Are Getting Done
Metrics that are most useful to the CEO relate to how far along the program is in achieving its goals. Security is more than just an operational cost. It’s also increasingly becoming a business enabler. "The CEO wants to know whether a process is or is not implemented...
Tim Prendergast: Security Metrics Should Show How Well You’re Adhering to a Plan
If you see better results each time you run the tests, you know you have an effective security program that is reducing your attack surface. Metrics that measure the security IQ of people accessing your cloud environments are a good place to start. "There are two high...
Adam Ely: Choose Security Metrics That Tell a Story
Stay away from tactile metrics that don’t help executives understand the value of the security program. Use metrics to build a cohesive story that illustrates the probability of security issues, the potential damage that can be done, and steps necessary to reduce...
Nikk Gilbert: Good Security Metrics Build Relationships and Trust
Metrics can be a great way to establish the CISO’s integrity within the enterprise. Measuring metrics, both at the operational and strategic levels, is vital. "What I’m trying to do from a strategic point of view is find those metrics that are really going to resonate...
Keyaan Williams: Proactively Communicate the Right Security Metrics—Before the CEO Asks
Effective communication of security information— before the CEO asks—is a measure of a CISO’s effectiveness. Be intelligently selective about metrics: focus only on those that provide business value. "The way you develop your security strategy and align it to the...