CISO IT Episode with Rich Casselberry, VP of IT Security at ATN International

Security’s challenge lies in its intangible nature, often measured retrospectively during incidents, which can skew perceptions of success. While I’m not a security expert, my experience has taught me that success metrics are built on the foundations of a security program. For instance, in vulnerability management, initial success might be measured by the ability to conduct credentialed scans on all assets. As the program matures, success metrics evolve to include the efficiency of vulnerability triage and response times. These metrics become predictable, akin to those in finance or sales.

Policy and audit compliance provide a baseline measure of success, allowing businesses to focus on advanced security practices like threat modeling and incident management. The frequency of data flow analysis and incident response drills are indicators of a robust security posture. Conversely, if an organization struggles with audits or lacks updated documentation and incident response practice, it reflects a lack of preparedness akin to running a marathon without training. Success in security requires iterative learning and improvement.