Security Metrics Need Validation and Context
- To work in the boardroom, metrics must encapsulate the business’ security posture, and that’s not always so easy to do.
- The best way to validate your security metrics is through third-party risk assessment and penetration testing.
“Just looking at these vulnerability statistics is not enough. You also need to validate them and put them in context.”
There was a time when information security was something you added to the business—an extra layer of protection, like insurance—and it often received scant attention in the board room. That’s no longer the case. Today, security is baked into business operations. “Security has become a big C suite topic, both from the perspective of risk from outside attack and meeting compliance requirements,” says Trevor Hawthorn.