Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Ask The Experts

04:45 PM
Joshua Goldfarb
Joshua Goldfarb
Ask the Experts
Connect Directly

What Questions Should I Keep in Mind to Improve My Security Metrics?

If you can answer these six questions, you'll be off to a great start.

Question: What questions should I keep in mind to improve my security metrics?

Joshua Goldfarb, independent consultantSecurity metrics is an area most organizations understand the importance of, but few do well in. While improving security metrics is a complex problem that requires a significant time investment, here are six questions to consider when looking to do so:

• Who is your audience? Before you can design and implement meaningful metrics, you need to know who they're for.

• So what? Measure what matters. If your audience is not interested in what you're measuring, it's of no value.

• Do you need all of that detail? Less is more. Report what answers the questions your audience wants you to answer. Anything beyond that reduces clarity and introduces confusion.

• Have you mapped to controls? Mapping metrics to controls allows us to more accurately measure risk within the organization.

• Are you reporting metrics regularly? Metrics are most valuable when they are living and dynamic, rather than snapshotted and static.

• Do you refine metrics? As metrics begin to lose their value or become less relevant, they must be adjusted or removed.

Related Content: 


Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Building Cybersecurity Strategies in Sub-Saharan Africa

Filmed for Dark Reading News Desk at Black Hat Virtual.

LAURA TICH: We have that imbalance, where the big organizations are more protected, where the smaller ones -- which are the most common businesses in the region -- they are least protected... Sometimes they do get the tools, they do get the funding to buy some critical tools, but there's a lack of skills to handle or people who understand how to work those tools. So there are a lot of factors that contribute to our growth -- or lack thereof -- in the cybersecurity industry.


Name That Toon: 'Rise' and Shine
Flash Poll