At our CISO Manifesto roundtable event on the eve of RSA 2019, one theme dominated the discussion: measurement is vital to the success of your security program. And that measurement shouldn’t be of things that a vendor thinks is important, but what is important to your organization, its leaders, and its customers.
For far too long vendors have promoted numbers that put their product in the best possible light based on parameters that may or may not have anything to do with keeping your data safe. To be fair, vendors should boast about what they do well, but there’s a definite sense within the CISO community that traditional approaches to security haven’t kept pace with the threat environment, and so the metrics that have been used for years are no longer valid.
We think the industry can do better. CISOs need us to do better and we’ve begun a conversation that involves both sides of the industry to rethink the way we measure success.
That conversation kicked off on March 3 with a discussion that featured a quintet of respected security leaders, including: “Ronin CISO” and former Honeywell CSO Rich Mason; CISO and author Richard Seiersen; security engineering vice president Mastercard Anne Marie Zettlemoyer; chief scientist for the CERT division at Carnegie Mellon University Greg Shannon; and Delta Dental CISO Tom Baltis. Attendees at the event included a Who’s Who of CISOs from across the spectrum of industry, including major players from financial services, healthcare, entertainment, consumer services, manufacturing and some key security companies. From the start, the packed room engaged in a vigorous discussion about their frustrations, successes, and values.
If you’d like to view the entire panel discussion (along with interesting Q&A at the end), check out the video here.
We’ve developed a white paper that frames this discussion and we encourage your feedback as this conversation continues. The whitepaper touches on the following key areas:
- Metrics Matter: How important are security metrics?
- Distance Matters: Should threat detection/mitigation occur as far away from the defended assets as possible? How do security teams define prevention versus response?
- Time Matters: How important is the time component? A great deal of security metrics are presently focused on time — dwell time, mean time to detect, mean time to respond. Is the right metric time-to-verdict as opposed to time-to-detect?
At the end of the whitepaper, we include a metrics checklist for security teams looking to put these discussion topics into practice. Download the whitepaper today.
We look forward to hearing from you. Meanwhile, keep your eyes on this blog, follow us on Twitter (@bluehexagonai) or LinkedIn for more CISO related content.