Many organizations struggle to measure the effectiveness of their security controls, mostly due to misunderstanding what is actually a good metric. Organizations too often apply metrics and measurements that are out of their control. Is having more vulnerabilities better or worse? Well, it depends on who you ask. A software company wants to show it is diligent in identifying vulnerabilities; for others, it's more about showing they are more secure.
We will explore good and bad metrics, including how to define, track and understand their contribution to the organization.
Learning Objectives:
Understand metrics that are in your control and those that are outside of it.
Define metrics that are measurable, consistent and contributing to the organization.
Conduct discovery sessions on helpful measurements and metrics for their organization.
