Tenable Blog

In this final installment of Marcus’ video blog series on security metrics, he discusses several ideas for presenting relevant metrics to your management. He explains what a good metrics chart should look like and why depicting change over time is the best strategy. But metrics are not just for illustrating history; metrics should be used to indicate and implement security improvements.

Marcus wraps up his video blog series with thoughts on how metrics contribute to leadership.

A well-presented metric should show change over time

The Center for Internet Security (CIS) has come forward with their most recent set of information security controls. The previous edition of the Critical Security Controls listed 20 controls for an organization to implement to protect their networks. The most recent edition (CIS Critical Security Controls v6.0) keeps the same number of controls, but replaces one control and adjusts the priority of others.

This is the third installment in my Drifting Out of Compliance series, taking a closer look at organizational approaches indicative of a point-in-time compliance mentality and the challenges of shifting to a continuous compliance mentality. Although a security first, compliance second approach is best, many organizations still struggle to attain the baseline level of security outlined in compliance requirements.

If “the language of security is metrics,” then establishing a sound security metrics program is a necessity. But why should you track metrics? It’s not just about justifying your security team’s work and budget. In Part 2 of Marcus’ metrics series, listen as he discusses problems and opportunities inherent to security metrics.

Metrics are fun!

Since April 2014, a new trend in security has experienced a meteoric rise, with headlines grabbed in both mainstream media and the tech press. Vulnerabilities, once the preserve of the researcher and defender, were suddenly thrust into the limelight when an OpenSSL bug was announced. Previously, the chances of a big security bug being discussed outside of our industry were low, the media being more concerned about the outcomes and impacts rather than the methods.