Shostack + Friends Blog Archive

 

Attacking Metrics

Last week I had the pleasure of having lunch with Alex Hutton from RMI and we got to talking about metrics. Specifically, we talked about how most metrics that we security folks come up with are well boring are effectively useless to upper management. At best they are focused on technical management such as the CIO and CSO. Like much of the rest of our industry, we metrics folks have again failed to relate our services to the business at large. Yesterday, Alex posted a great article on the sad state of metrics [link to http://riskmanagementinsight.com/riskanalysis/?p=218 no longer works] in our industry. I claim no credit what so ever for any of Alex’s content (his thoughts here go far deeper than anything we covered over bowls of Pho), I heartily encourage you all to read what he has to say as he covers far more ground than what I’ve hinted at above.