Question: What questions should I keep in mind to improve my security metrics?
Joshua Goldfarb, independent consultant: Security metrics is an area most organizations understand the importance of, but few do well in. While improving security metrics is a complex problem that requires a significant time investment, here are six questions to consider when looking to do so:
• Who is your audience? Before you can design and implement meaningful metrics, you need to know who they're for.
• So what? Measure what matters. If your audience is not interested in what you're measuring, it's of no value.
• Do you need all of that detail? Less is more. Report what answers the questions your audience wants you to answer. Anything beyond that reduces clarity and introduces confusion.
• Have you mapped to controls? Mapping metrics to controls allows us to more accurately measure risk within the organization.
• Are you reporting metrics regularly? Metrics are most valuable when they are living and dynamic, rather than snapshotted and static.
• Do you refine metrics? As metrics begin to lose their value or become less relevant, they must be adjusted or removed.
Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio