One of the main issues I find across the information security industry is that we constantly need to justify our existence. Organizations have slowly realized they need to spend on IT to enable their businesses. Information security, on the other hand, is the team that is constantly preventing the business from freely doing as they please. IT is seen as a driver of success, and security can be, too. The security team just needs to learn how to enable the business.

What businesses do understand is risk. If they understand the risks that they associate with a certain action, they will likely think twice before freely gallivanting in the www (the wild wild web).

Cybersecurity Metrics in Business Context

As such, we as security professionals need to ensure we are providing data to the business, so they understand what it is we do and how it is we go about protecting them.

The question herein is: What metrics should we provide?

As technical folks, it’s easy for us to get caught up in the details. What we often forget is that executives and business-minded individuals have no idea what we’re talking about. They just smile and nod, but when it’s time to pull out the chequebook to fund an information security project, they won’t be able to justify the cost.

Next time you are building an executive metrics deck, keep this in mind: If they don’t understand how you are saving them money, they won’t give you money to fund your projects.

Vulnerability Management Metrics

One of the foundational areas for a security program is vulnerability management (VM). This blog post will focus on specific metrics that you should be looking at as part of the vulnerability management program.

When talking about VM, it’s very easy to get caught (Read more...)