For security professionals, two free risk-management guides out this week provide directions on how to establish corporate security metrics, as well as tips on organizing risk-assessment and ...

The National Defense Authorization Act for Fiscal Year 2017 (2017 NDAA) requires the Department of Homeland Security (DHS) to develop an annual report containing 43 specific metrics to measure the ...

For years, organizations have relied on traditional security metrics to measure their risk posture. Service-level agreements (SLAs), issue closure rates, and compliance checklists dominate dashboards, ...

With the US Securities and Exchange Commission requiring CISOs and boards of directors to increase the level of transparency around their organizations' cybersecurity capabilities and to speed up ...

As this newsletter hits the wire, I will have just contributed my part to a panel discussion at the RSA Conference on the subject of IT security metrics. Security and compliance metrics are becoming a ...

One of the most difficult aspects of managing risk in information assurance (IA) is that our statistical information is so poor. We don’t know about security breaches that we have not noticed; we ...

For the past three years, IT and cybersecurity leaders have been facing enormous challenges as the world of work transformed before our eyes, customer preferences changed on a dime, and the move to ...

I am excited to join the team of security contributors on CSO Online and launch the “Security by Numbers” blog. I’ve been focused on computer and information security for my entire 20 year career and ...

How do we manage what we can’t measure? One of the cornerstones of the scientific method is measurability: a focus on defining the ways of counting or measuring aspects of reality that we hope will be ...