Building Better Security Metrics

OVERVIEW

Let’s face it: most of us don’t like gathering and reporting metrics. But the boss says “that which isn’t measured isn’t managed.” Of course there’s the problem of users gaming metrics to paint unrealistic pictures to stakeholders. Good metrics should serve as a heuristic for stakeholders to understand a situation at a high level without needing to understand all the nuance of how the sausage is made. In other words, metrics should tell a story. Since you’ll be generating security metrics anyway, shouldn’t they tell the right story?

Beyond the obvious justification of “management says you have to,” as an aspiring security leader you should be self-motivated to create and deliver better metrics. If there’s one thing leadership abhors, it’s uncertainty. Better metrics don’t eliminate uncertainty, but they do promote better understanding, leading to better evaluation of risk.

In this presentation, you’ll learn the principles of generating compelling metrics. We’ll then cover examples of easy-to-gather metrics across a range of security disciplines, including SOC, cyber threat intelligence, threat hunting, and incident response. Come learn how to level up your metrics game in this session!