SlideShare a Scribd company logo

Developing useful metrics

Priyanka Aash
Priyanka Aash

This document discusses developing useful metrics for governance, risk management, and compliance programs. It begins by explaining the difference between measures and metrics, and emphasizes tying metrics to business objectives and decisions. A 5-step GQIM process is introduced for deriving metrics from objectives: identifying goals, questions, indicators, and metrics based on objectives. Examples are provided for an incident management objective. The document also discusses challenges in identifying meaningful metrics and getting started with a measurement program by focusing on a few key business objectives and questions.

Technology
1 of 39
Download to read offline
SESSION ID:SESSION ID: #RSAC Lisa Young Developing Useful Metrics GRC-F03 Vice President, Service Delivery Axio Global Lyoung@Axio.com David Tobar Senior Cybersecurity Engineer SEI/CERT Carnegie Mellon University Dtobar@cert.org
#RSAC Notices Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. DM-0003301
#RSAC GRC-F03 3 This session does not cover specific technical security metrics does cover the importance of metrics tied to things that matter to the business Why you might want to stay for this session - if you are interested in determining what to measure in support of business objectives identifying risks and gaps in your current measurement processes a process for developing metrics that will help you do these things
#RSAC Why do you want to measure?
#RSAC Key questions What should I measure to determine if I am meeting my performance objectives for security? What is the business value of being more secure? Of a specific security investment?
#RSAC Terminology (*) Measure vs. metric I had 2 eggs for breakfast this morning It’s 53 degrees in San Francisco, CA This session is 40 minutes long A measure (or measurement) is the value of a specific characteristic of a given entity (collected data). A metric is the aggregation of one or more measures to create a piece of business intelligence, in context. OR (*) Visualize This! Meaningful Metrics for Managing Risk. Session GRC-F02, RSA Conference 2014.
#RSAC So what? Why do you care? If I had this metric: (*) What decisions would it inform? What actions would I take based on it? What behaviors would it affect? What would improvement look like? What would its value be in comparison to other metrics? (*) informed by Douglas Hubbard, How to Measure Anything, John Wiley & Sons, 2010
#RSAC Why measure? Speak to decision makers in their language Demonstrate that the security program has measurable business value Justify new investments; make improvements Use trends to help predict future events Demonstrate that control objectives are (and continue to be) met Answer key questions
#RSAC Deriving Metrics from Objectives - GQIM
#RSAC Key questions Not “What metrics should I use?” but “What do I want to know or learn?” Alternatives: What decisions do I want to inform? What actions do I want to take? What behaviors do I want to change?
#RSAC Purpose Use a defined, repeatable process to derive meaningful metrics that directly support achievement of business objectives and: demonstrate the business value of each metric (and justify the cost for its collection and reporting) defend such metrics in comparison to others add metrics, update metrics, and retire metrics as business objectives change ultimately, inform business decisions, take appropriate action, and change behaviors
#RSAC Key takeaways Understand a 5-step process for deriving metrics from business or program objectives Be able to apply this process to your objectives Identify at least one metric that you can use immediately Be able to better communicate with business leaders in their language Assess the utility of current metrics
#RSAC GQIM process Objectives Identify business objectives that establish the need for resilience and cybersecurity Goal Develop one or more goals for each objective Question Develop one or more questions that, when answered, help determine the extent to which the goal is met Indicator Identify one or more pieces of information that are required to answer each question Metric Identify one or more metrics that will use selected indicators to answer the question
#RSAC Objectives to Goals
#RSAC Process State a business or program objective Define one or more goals that are required to achieve the stated objective Goal: the end toward which effort is directed Fewer are better Essential (high leverage/high payoff) vs. complete coverage — Judgment informed by stakeholder review
#RSAC Objectives to Goals What are meaningful actions to take to achieve the objective? Which actions are most important? 2-3 that are essential, high leverage, high payoff Carry forward and refine key terms from the objective in the goals Ask “If I achieve this goal, will I be able to demonstrate substantive progress in achieving the objective?”
#RSAC Objective to Goals – Incident Management example Objective Goal Mitigate the risks of business disruption and loss resulting from cybersecurity incidents (with impact threshold > [x]) Operate a cybersecurity incident center that detects, responds to, and reports security incidents in accordance with established standards and guidelines. • enterprise and operational unit levels Others?
#RSAC Goals to Questions
#RSAC Goals to Questions -1 What are meaningful questions to answer to determine if the goal is being achieved? Requires subject matter expertise Which questions are most important? Carry forward and refine key terms from the goal in the question Ask “If I answer this question, will I be able to demonstrate substantive progress in achieving the goal?”
#RSAC Goals to Questions -2 Useful questions are in the form of: What is the process for . . . (better than “How does the organization . . .”) — leads to implementation metrics How effective is . . . — leads to effectiveness metrics — most desirable but need implementation metrics first
#RSAC Goal to Questions – IM example Goal Questions G1: Operate a cybersecurity incident center that detects, responds to, and reports security incidents in accordance with established standards and guidelines. Q1: What is the process by which suspicious events are detected and declared as incidents? Q2: What is the criteria for escalating high- impact incidents? To whom? Others?
#RSAC Questions to Indicators
#RSAC Questions to Indicators What data do I need to answer the question? Can add more data granularity than called for in the question In what form should the data be reported? Which data is most important? Carry forward and refine key terms from the question in the indicators Ask “If I have this data, will I be able to answer some aspect of the question?”
#RSAC Goal Question Indicators G1 Q1: What is the process by which suspicious events are detected and declared as incidents? Q1.I1: process and criteria for detecting and triaging suspicious events Q1.I2: process and criteria for declaring incidents Others? Question to Indicators – IM example
#RSAC Indicators to Metrics
#RSAC Indicators to Metrics Using the indicator data, what number, percentage, mean, or other metric can I collect/calculate to help answer the question? a percentage presumes 2 numbers are available so you don’t need to list the numbers as a metric if the percentage is based on it Which metrics are most important? Ask “Do I need additional data (more indicators)?” Ask “If I report this metric (over time), will it provide the greatest insight possible to answer the questions from which it derives?”
#RSAC Using this method to validate your current questions or metrics
#RSAC What if I only have a Metric? - 1 “We’ve always reported the number of machines with patches out of date.” How are you using this metric today? “What question will this metric answer?” This metric answers the following question: “How many machines are currently out of date?
#RSAC What if I only have a Metric? - 2 Answering this question will demonstrate substantive progress in achieving what goal? The goal answered by this question is “Keep machines up to date through patching.” Will this goal demonstrate progress againstan existing strategic business or program objective? By measuring the actual time between patch release and patch application, you are able to measure your organization’s ability to improve patch capability.
#RSAC Using GQIM to restate Strategic Business Objective: Mitigate the risk of successful software exploits by minimizing out-of-date software systems. Goal: Improve my organization’s process for patch management Question: How effective is my patch management process? Indicators: Increased efficiencies in the patch management process Metrics: Actual time between patch release and patch application. s
#RSAC What if all I have is a Question? - 1 “I’m always asked if my users have the proper level of system access.” How are you answering this question today? If the answer to this question is yes, what is the goal I am trying to achieve? — Goal: Ensure all users have the proper level of system access for their job responsibilities.
#RSAC What if all I have is a Question? - 2 What is the strategic business objective tied to this goal? Strategic business objective: Mitigate insider threats by ensuring appropriate levels of system access for all users. What data would I need to answer the question: “Do all users have appropriate system access?” Inventory of IT systems with required security and access attributes Current list of users with approved security attributes An ability to compare IT systems access and users list
#RSAC Using GQIM to Restate Strategic Business Objective: Mitigate insider threats by ensuring appropriate levels of system access for all users. Goal: Ensure all users have the proper level of system access for their job responsibilities. Question: Do all users have appropriate system access? Indicators: Inventory of IT systems with security and access attributes Current list of users with approved security attributes An ability to compare IT systems access and users list Metrics: (more user centric) Time (min, max, med) to add a new system to inventory Time (min, max, med) to remove access when violation is discovered “Age” Time (min, max, med) of security and access attributes
#RSAC Barriers and challenges What current barriers do you face in establishing, managing, and/or executing a measurement program? What challenges do you face in identifying meaningful metrics within your organization? Have you identified some new/updated approaches for tackling these?
#RSAC Getting started
#RSAC Approach State a business objective Ideally your business objective supports a stated strategic objective Ensure that [business unit, service, product, supply chain, technology, data center] is … — available to meet a specified customer or revenue growth objective — unavailable for no more than some stated period of time, number of transactions, other units of measure — fully compliant with [law, regulation, standard] so as not to incur penalties
#RSAC To get started Identify sponsors and key stakeholders Define security objectives and key questions Determine information that informs these What information do you already have? What information do you need to collect? What is the value of collecting additional information? Define and vet a small number of key metrics Collect, analyze, report, refine Leverage an existing measurement program
#RSAC Questions Lisa Young Email: Lyoung@axio.com Vice President, Service Delivery Axio Global David Tobar Email: DTobar@cert.org Senior Cybersecurity Engineer Carnegie Mellon University SEI/CERT
#RSAC CERT | Software Engineering Institute | Carnegie Mellon Software Engineering Institute (SEI) Federally funded research and development center based at Carnegie Mellon University Basic and applied research in partnership with government and private organizations CERT – Anticipating and solving our nation’s cybersecurity challenges Largest technical program at SEI Focused on information security, digital investigation and forensics, insider threat, operational risk, vulnerability analysis, network situational awareness, metrics, and governance

Recommended

Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
DevOps.com
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-Tools
Enterprise Management Associates
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
CrowdStrike
 

Recommended

Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
DevOps.com
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-Tools
Enterprise Management Associates
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
CrowdStrike
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy Workshop
Life Cycle Engineering
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
Kevin Fealey
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
Sounil Yu
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
CyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementCyberSecurity Portfolio Management
CyberSecurity Portfolio Management
Priyanka Aash
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
PECB
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
WAJAHAT IQBAL
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
SandeshUprety4
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
Doreen Loeber
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
BATbern
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 
Creating Order from Chaos: Metrics That Matter
Creating Order from Chaos: Metrics That MatterCreating Order from Chaos: Metrics That Matter
Creating Order from Chaos: Metrics That Matter
Priyanka Aash
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
centralohioissa
 

More Related Content

What's hot

DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
Kevin Fealey
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
PECB
 

What's hot (20)

Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy Workshop
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
CyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementCyberSecurity Portfolio Management
CyberSecurity Portfolio Management
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 

Similar to Developing useful metrics

Creating Order from Chaos: Metrics That Matter
Creating Order from Chaos: Metrics That MatterCreating Order from Chaos: Metrics That Matter
Creating Order from Chaos: Metrics That Matter
Priyanka Aash
 
Optimizely building your_data_dna_e_booktthh
Optimizely building your_data_dna_e_booktthhOptimizely building your_data_dna_e_booktthh
Optimizely building your_data_dna_e_booktthh
ciciedeng
 
Key Concepts And Principles Of Internal Quality Assurance...
Key Concepts And Principles Of Internal Quality Assurance...Key Concepts And Principles Of Internal Quality Assurance...
Key Concepts And Principles Of Internal Quality Assurance...
Lanate Drummond
 

Similar to Developing useful metrics (20)

Creating Order from Chaos: Metrics That Matter
Creating Order from Chaos: Metrics That MatterCreating Order from Chaos: Metrics That Matter
Creating Order from Chaos: Metrics That Matter
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
 
SDM Presentation V1.0
SDM Presentation V1.0SDM Presentation V1.0
SDM Presentation V1.0
 
Beyond Firefighting: A Leaders Guide to Proactive Data Quality Management
Beyond Firefighting: A Leaders Guide to Proactive Data Quality ManagementBeyond Firefighting: A Leaders Guide to Proactive Data Quality Management
Beyond Firefighting: A Leaders Guide to Proactive Data Quality Management
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance Brochure
 
Building a business case for expanding your AppSec Program
Building a business case for expanding your AppSec ProgramBuilding a business case for expanding your AppSec Program
Building a business case for expanding your AppSec Program
 
Importance of software quality metrics
Importance of software quality metricsImportance of software quality metrics
Importance of software quality metrics
 
OberservePoint - The Digital Data Quality Playbook
OberservePoint - The Digital Data Quality PlaybookOberservePoint - The Digital Data Quality Playbook
OberservePoint - The Digital Data Quality Playbook
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
Security Predictions
Security PredictionsSecurity Predictions
Security Predictions
 
Standards For Wright Aircraft Corp
Standards For Wright Aircraft CorpStandards For Wright Aircraft Corp
Standards For Wright Aircraft Corp
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security Operations
 
Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005
 
Optimizely building your_data_dna_e_booktthh
Optimizely building your_data_dna_e_booktthhOptimizely building your_data_dna_e_booktthh
Optimizely building your_data_dna_e_booktthh
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
3A - Turning Data into Decisions - Implementing a Cloud-based HSE Leading Ind...
3A - Turning Data into Decisions - Implementing a Cloud-based HSE Leading Ind...3A - Turning Data into Decisions - Implementing a Cloud-based HSE Leading Ind...
3A - Turning Data into Decisions - Implementing a Cloud-based HSE Leading Ind...
 
DevSecOpsMaturityModel.pdf
DevSecOpsMaturityModel.pdfDevSecOpsMaturityModel.pdf
DevSecOpsMaturityModel.pdf
 
Key Concepts And Principles Of Internal Quality Assurance...
Key Concepts And Principles Of Internal Quality Assurance...Key Concepts And Principles Of Internal Quality Assurance...
Key Concepts And Principles Of Internal Quality Assurance...
 

More from Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Developing useful metrics

  • 1. SESSION ID:SESSION ID: #RSAC Lisa Young Developing Useful Metrics GRC-F03 Vice President, Service Delivery Axio Global Lyoung@Axio.com David Tobar Senior Cybersecurity Engineer SEI/CERT Carnegie Mellon University Dtobar@cert.org
  • 2. #RSAC Notices Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. DM-0003301
  • 3. #RSAC GRC-F03 3 This session does not cover specific technical security metrics does cover the importance of metrics tied to things that matter to the business Why you might want to stay for this session - if you are interested in determining what to measure in support of business objectives identifying risks and gaps in your current measurement processes a process for developing metrics that will help you do these things
  • 4. #RSAC Why do you want to measure?
  • 5. #RSAC Key questions What should I measure to determine if I am meeting my performance objectives for security? What is the business value of being more secure? Of a specific security investment?
  • 6. #RSAC Terminology (*) Measure vs. metric I had 2 eggs for breakfast this morning It’s 53 degrees in San Francisco, CA This session is 40 minutes long A measure (or measurement) is the value of a specific characteristic of a given entity (collected data). A metric is the aggregation of one or more measures to create a piece of business intelligence, in context. OR (*) Visualize This! Meaningful Metrics for Managing Risk. Session GRC-F02, RSA Conference 2014.
  • 7. #RSAC So what? Why do you care? If I had this metric: (*) What decisions would it inform? What actions would I take based on it? What behaviors would it affect? What would improvement look like? What would its value be in comparison to other metrics? (*) informed by Douglas Hubbard, How to Measure Anything, John Wiley & Sons, 2010
  • 8. #RSAC Why measure? Speak to decision makers in their language Demonstrate that the security program has measurable business value Justify new investments; make improvements Use trends to help predict future events Demonstrate that control objectives are (and continue to be) met Answer key questions
  • 9. #RSAC Deriving Metrics from Objectives - GQIM
  • 10. #RSAC Key questions Not “What metrics should I use?” but “What do I want to know or learn?” Alternatives: What decisions do I want to inform? What actions do I want to take? What behaviors do I want to change?
  • 11. #RSAC Purpose Use a defined, repeatable process to derive meaningful metrics that directly support achievement of business objectives and: demonstrate the business value of each metric (and justify the cost for its collection and reporting) defend such metrics in comparison to others add metrics, update metrics, and retire metrics as business objectives change ultimately, inform business decisions, take appropriate action, and change behaviors
  • 12. #RSAC Key takeaways Understand a 5-step process for deriving metrics from business or program objectives Be able to apply this process to your objectives Identify at least one metric that you can use immediately Be able to better communicate with business leaders in their language Assess the utility of current metrics
  • 13. #RSAC GQIM process Objectives Identify business objectives that establish the need for resilience and cybersecurity Goal Develop one or more goals for each objective Question Develop one or more questions that, when answered, help determine the extent to which the goal is met Indicator Identify one or more pieces of information that are required to answer each question Metric Identify one or more metrics that will use selected indicators to answer the question
  • 15. #RSAC Process State a business or program objective Define one or more goals that are required to achieve the stated objective Goal: the end toward which effort is directed Fewer are better Essential (high leverage/high payoff) vs. complete coverage — Judgment informed by stakeholder review
  • 16. #RSAC Objectives to Goals What are meaningful actions to take to achieve the objective? Which actions are most important? 2-3 that are essential, high leverage, high payoff Carry forward and refine key terms from the objective in the goals Ask “If I achieve this goal, will I be able to demonstrate substantive progress in achieving the objective?”
  • 17. #RSAC Objective to Goals – Incident Management example Objective Goal Mitigate the risks of business disruption and loss resulting from cybersecurity incidents (with impact threshold > [x]) Operate a cybersecurity incident center that detects, responds to, and reports security incidents in accordance with established standards and guidelines. • enterprise and operational unit levels Others?
  • 19. #RSAC Goals to Questions -1 What are meaningful questions to answer to determine if the goal is being achieved? Requires subject matter expertise Which questions are most important? Carry forward and refine key terms from the goal in the question Ask “If I answer this question, will I be able to demonstrate substantive progress in achieving the goal?”
  • 20. #RSAC Goals to Questions -2 Useful questions are in the form of: What is the process for . . . (better than “How does the organization . . .”) — leads to implementation metrics How effective is . . . — leads to effectiveness metrics — most desirable but need implementation metrics first
  • 21. #RSAC Goal to Questions – IM example Goal Questions G1: Operate a cybersecurity incident center that detects, responds to, and reports security incidents in accordance with established standards and guidelines. Q1: What is the process by which suspicious events are detected and declared as incidents? Q2: What is the criteria for escalating high- impact incidents? To whom? Others?
  • 23. #RSAC Questions to Indicators What data do I need to answer the question? Can add more data granularity than called for in the question In what form should the data be reported? Which data is most important? Carry forward and refine key terms from the question in the indicators Ask “If I have this data, will I be able to answer some aspect of the question?”
  • 24. #RSAC Goal Question Indicators G1 Q1: What is the process by which suspicious events are detected and declared as incidents? Q1.I1: process and criteria for detecting and triaging suspicious events Q1.I2: process and criteria for declaring incidents Others? Question to Indicators – IM example
  • 26. #RSAC Indicators to Metrics Using the indicator data, what number, percentage, mean, or other metric can I collect/calculate to help answer the question? a percentage presumes 2 numbers are available so you don’t need to list the numbers as a metric if the percentage is based on it Which metrics are most important? Ask “Do I need additional data (more indicators)?” Ask “If I report this metric (over time), will it provide the greatest insight possible to answer the questions from which it derives?”
  • 27. #RSAC Using this method to validate your current questions or metrics
  • 28. #RSAC What if I only have a Metric? - 1 “We’ve always reported the number of machines with patches out of date.” How are you using this metric today? “What question will this metric answer?” This metric answers the following question: “How many machines are currently out of date?
  • 29. #RSAC What if I only have a Metric? - 2 Answering this question will demonstrate substantive progress in achieving what goal? The goal answered by this question is “Keep machines up to date through patching.” Will this goal demonstrate progress againstan existing strategic business or program objective? By measuring the actual time between patch release and patch application, you are able to measure your organization’s ability to improve patch capability.
  • 30. #RSAC Using GQIM to restate Strategic Business Objective: Mitigate the risk of successful software exploits by minimizing out-of-date software systems. Goal: Improve my organization’s process for patch management Question: How effective is my patch management process? Indicators: Increased efficiencies in the patch management process Metrics: Actual time between patch release and patch application. s
  • 31. #RSAC What if all I have is a Question? - 1 “I’m always asked if my users have the proper level of system access.” How are you answering this question today? If the answer to this question is yes, what is the goal I am trying to achieve? — Goal: Ensure all users have the proper level of system access for their job responsibilities.
  • 32. #RSAC What if all I have is a Question? - 2 What is the strategic business objective tied to this goal? Strategic business objective: Mitigate insider threats by ensuring appropriate levels of system access for all users. What data would I need to answer the question: “Do all users have appropriate system access?” Inventory of IT systems with required security and access attributes Current list of users with approved security attributes An ability to compare IT systems access and users list
  • 33. #RSAC Using GQIM to Restate Strategic Business Objective: Mitigate insider threats by ensuring appropriate levels of system access for all users. Goal: Ensure all users have the proper level of system access for their job responsibilities. Question: Do all users have appropriate system access? Indicators: Inventory of IT systems with security and access attributes Current list of users with approved security attributes An ability to compare IT systems access and users list Metrics: (more user centric) Time (min, max, med) to add a new system to inventory Time (min, max, med) to remove access when violation is discovered “Age” Time (min, max, med) of security and access attributes
  • 34. #RSAC Barriers and challenges What current barriers do you face in establishing, managing, and/or executing a measurement program? What challenges do you face in identifying meaningful metrics within your organization? Have you identified some new/updated approaches for tackling these?
  • 36. #RSAC Approach State a business objective Ideally your business objective supports a stated strategic objective Ensure that [business unit, service, product, supply chain, technology, data center] is … — available to meet a specified customer or revenue growth objective — unavailable for no more than some stated period of time, number of transactions, other units of measure — fully compliant with [law, regulation, standard] so as not to incur penalties
  • 37. #RSAC To get started Identify sponsors and key stakeholders Define security objectives and key questions Determine information that informs these What information do you already have? What information do you need to collect? What is the value of collecting additional information? Define and vet a small number of key metrics Collect, analyze, report, refine Leverage an existing measurement program
  • 38. #RSAC Questions Lisa Young Email: Lyoung@axio.com Vice President, Service Delivery Axio Global David Tobar Email: DTobar@cert.org Senior Cybersecurity Engineer Carnegie Mellon University SEI/CERT
  • 39. #RSAC CERT | Software Engineering Institute | Carnegie Mellon Software Engineering Institute (SEI) Federally funded research and development center based at Carnegie Mellon University Basic and applied research in partnership with government and private organizations CERT – Anticipating and solving our nation’s cybersecurity challenges Largest technical program at SEI Focused on information security, digital investigation and forensics, insider threat, operational risk, vulnerability analysis, network situational awareness, metrics, and governance