Skip to main content

The latest installment of the CISO IT podcast is out now. Listen on your favorite podcast platform! 

This episode features special guest Rich Casselberry. 

Jason and Rich discuss the challenges of security and how to make better risk decisions. They explore the difficulty of proving a negative in security and the lack of obvious metrics of success. They emphasize the importance of balancing risk and finding the right level of security for the organization. Plus a whole lot more! 

We’d love to hear if you AGREE or DISAGREE with the following statement from the episode: 

Security is challenging because it involves proving a negative and lacks obvious metrics of success.

Be the first to reply!

Security’s challenge lies in its intangible nature, often measured retrospectively during incidents, which can skew perceptions of success. While I’m not a security expert, my experience has taught me that success metrics are built on the foundations of a security program. For instance, in vulnerability management, initial success might be measured by the ability to conduct credentialed scans on all assets. As the program matures, success metrics evolve to include the efficiency of vulnerability triage and response times. These metrics become predictable, akin to those in finance or sales.

Policy and audit compliance provide a baseline measure of success, allowing businesses to focus on advanced security practices like threat modeling and incident management. The frequency of data flow analysis and incident response drills are indicators of a robust security posture. Conversely, if an organization struggles with audits or lacks updated documentation and incident response practice, it reflects a lack of preparedness akin to running a marathon without training. Success in security requires iterative learning and improvement.


Reply