Most discussions of security metrics focus on abstract theory -- how to measure security using complex equations that are only practical in a "perfect" world. This session takes the opposite tack, honing in on real-world methods for developing security metrics given the technical and cultural constraints within the modern organization. Tom Bowers, manager of information security operations at a large pharmaceutical company and technical editor for Information Security, offers insight into metrics that work for his company and other organizations he's familiar with. Tom details current, real-world projects and explains how he and his fellow security practitioners demonstrated value to the business units, as well as the CFO and CIO, without expensive, time-consuming academic formulas.
Download this presentation and learn:
- The theories for generating metrics and if they apply to security
- Where to find measurable security statistics
- Practical low/no cost tools available
- Tips on presenting the business value where ROI is difficult to justify
- How to leverage security events occurring outside your company in your presentation
This was first published in October 2005