December 15, 2016

Impact vs. risk: information security measurement for agile organizations

Successful information security organizations are often invisible; security is a pervasive but not onerous part of the company culture, process, and technology.  Data, people and other important assets are protected, but still dynamic.  Does this sound like your company?  Probably not … unfortunately, this agile organizational mecca is rare.  Too many information security organizations have a philosophy of “risk elimination”, which leads to the proliferation of granular risk measurement process and tools that require significant […]
December 15, 2016

Qualitative vs. quantitative: delivering better information security insight

Today’s Chief Information Security Officer (CISO) has a blinding array of metrics available to describe the health of their information security organization.  Not surprisingly, as technology executives with a portfolio of the latest tools at their disposal, there’s often a heavy reliance on technical metrics.  The challenge with these metrics, as you might expect, is that they speak to technical vulnerabilities – things like mismanagement symptoms, malicious activities, or incident reports.  Dashboards routinely show things […]