Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

What Questions Should I Keep in Mind to Improve My Security Metrics?

If you can answer these six questions, you'll be off to a great start.

Joshua Goldfarb, Field CISO

January 13, 2020

1 Min Read
Dark Reading logo in a gray background | Dark Reading

Question: What questions should I keep in mind to improve my security metrics?

Joshua Goldfarb, independent consultant: Security metrics is an area most organizations understand the importance of, but few do well in. While improving security metrics is a complex problem that requires a significant time investment, here are six questions to consider when looking to do so:

• Who is your audience? Before you can design and implement meaningful metrics, you need to know who they're for.

• So what? Measure what matters. If your audience is not interested in what you're measuring, it's of no value.

• Do you need all of that detail? Less is more. Report what answers the questions your audience wants you to answer. Anything beyond that reduces clarity and introduces confusion.

• Have you mapped to controls? Mapping metrics to controls allows us to more accurately measure risk within the organization.

• Are you reporting metrics regularly? Metrics are most valuable when they are living and dynamic, rather than snapshotted and static.

• Do you refine metrics? As metrics begin to lose their value or become less relevant, they must be adjusted or removed.

Related Content: 

 

About the Author

Joshua Goldfarb

Field CISO, F5

Josh Goldfarb is currently Field CISO at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights