Using Security Metrics to Defend the Business
- The CISO should be prepared to answer a CEO’s questions using metrics on the applications, processes, and end users that matter most.
- The CISO must play educator to the CEO as well as the other key end users. Metrics are an important way to ensure that the word is getting out.
“Whatever metrics you’re going to share with the CEO, board, or executives, you need to prioritize them around the things that are most important to the business.”
When a chief executive officer (CEO) asks the question, “Just how secure are we?” Julian Waits thinks that the chief information security officer (CISO) should be prepared to answer with metrics on the applications, processes, and end users that matter most. “Whatever metrics you’re going to share with the CEO, board, or executives, you need to prioritize them around the things that are most important to the business,” Waits states.