Building an effective cybersecurity metrics program
CISOs strive to develop and use security metrics as an objective way to: (1) portray the state of their security programs; and (2) effect positive change to security controls, like patching within SLAs and improving phishing email awareness. However, they are challenged by data collection difficulties, limitations of reporting tools, and uncertainties about what metrics are relevant for different audiences (e.g., board, management, IT and security personnel).
During this month of CISO Stories, practitioners will share their experiences and challenges with implementing a cybersecurity metrics program. Guidance and tools developed by a cross sector task force of CISOs are shared as well, highlighting:
- The Cybersecurity Collaborative Security Metrics Framework
- Criteria for an effective security metric
- Methods for metrics reporting and decision-making
- Guidance for initiating a metrics program
- Strategies for expanding the program
- Tools for collecting and reporting metrics
- The Cybersecurity Collaborative Security Metrics Workbook (working metrics examples)
Practitioners will also connect the dots on how such metrics should be used to continuously improve identity, application, cloud and network security, anti-ransomware efforts, zero trust, email security, threat intelligence, AI and third-party risk management.
Speakers
Parham Eftekhari is a recognized business executive in the information security sector with a lifelong passion for leadership, and community engagement. His expertise spans critical infrastructure technology and policy, business strategy and operations, executive advising, and thought leadership content initiatives.
Parham has published over a dozen information security reports, regularly engages with the media, and has contributed to countless briefings and events at institutions including TEDx, Congress, the World Bank, RSA, IFA+, (ISC)2, C-SPAN, and the Institute for Critical Infrastructure Technology (ICIT).
For over 20 years, Tom has practiced as a cyber security professional as an executive director of information security for Verizon, a founder of two cyber security consulting firms, and Vice President of Content and Programs for the Cybersecurity Collaborative.
Tom is CEO of MyDataOnly, Inc., which offers privacy and security consultation and security (penetration) testing services. Tom began his career in IT in programming and strategic planning and later founded a customer satisfaction measurement firm.
Tom holds four security certifications (CISSP, CISM, PCIP) and one privacy certification (CIPP/US). He has a master’s degree from MIT’s Sloan School of Management and is a Marine Corps veteran.