With Security Metrics, You Don’t Have to Sweat the Details
- Tracking metrics in terms of averages rather than raw vulnerability counts is a great way to keep security improvements
- Becoming totally secure is an elusive if not impossible goal. The real point is to show continuous evolution and improvement.
“We started to make it higher level. We weren’t focusing so much on specific vulnerabilities.’”
It was only a few years ago, as he was taking his current job as chief information security officer and senior vice president at Live Nation Entertainment, that Jonathan Chow discovered how important it is to focus on metrics that really matter to the business. His task at the time was to build a security program from scratch. “When we first started to get the numbers, they were pretty abysmal,” Chow states. Nobody had asked the security team to measure security metrics before. “Quite honestly,” he recalls, “it was overwhelming.”