Why Technical Metrics Aren't Enough: 10 Strategic Security Measures to Consider

Thursday, May 08 | 9:00AM–10:00AM
Session Type: Professional Development

Learn how 10 strategic security measures, when tied to business objectives, are more effective than tactical operational measures (systems patched, incidents reported) in determining your current security state and improving your security posture. Too often, organizations "count" things (spam blocks, systems patched, vulnerability scan results, incidents reported versus closed/unauthorized access requests, people trained) to determine their current security state and figure out what to improve. Count measures, even those trended over time, are often missing meaningful context on how they can be used to inform decisions, affect behavior, and help determine what actions will result in true, sustainable improvement.

Outcomes: Learn key questions to ask to determine which measures are most important * Obtain 10 key measures that better illustrate your current security state and inform the selection of improvements * Learn how to put measures in place so they stick (including the definition of a measurement template)


  • Julia Allen

    Principal Researcher, Carnegie Mellon University

Resources & Downloads