Defending Metrics

Yesterday, I attacked metrics claiming that the way they are being used today, they were useless to upper management and didn’t relate the value of the InfoSec team to the business. While I stand behind that claim, also believe that a lot of metrics being performed today are very useful to technical management especially those with operation responsibilities. With that in mind, I’d like to point our readers to a newish blog, Security Retentive by Andy Steingruebl. Andy and I worked together way back when and I can’t say enough nice things about him. On Sunday, Andy talked about building effective metrics. In this case, he talked about vulnerability management though he promises to cover anti-virs software and software security in later posts. I for one will be on the lookout for the follow-ups. Andy covers a good strategy for launching and measuring a vulnerability management program. I don’t want to steal his thunder, so go read what he has to say.

Attacking Metrics

Last week I had the pleasure of having lunch with Alex Hutton from RMI and we got to talking about metrics. Specifically, we talked about how most metrics that we security folks come up with are well boring are effectively useless to upper management. At best they are focused on technical management such as the CIO and CSO. Like much of the rest of our industry, we metrics folks have again failed to relate our services to the business at large. Yesterday, Alex posted a great article on the sad state of metrics in our industry. I claim no credit what so ever for any of Alex’s content (his thoughts here go far deeper than anything we covered over bowls of Pho), I heartily encourage you all to read what he has to say as he covers far more ground than what I’ve hinted at above.