Ben Smith is Field Chief Technology Officer (Field CTO – US East) with RSA, The Security Division of EMC. He is a trusted advisor and consultant to RSA’s global financial services customers, as well as customers in other vertical markets. With over 25 years’ experience in the networking, information security and telecommunications industries, he is responsible for consulting on RSA’s strategic vision around architecture and technical roadmaps for the company’s security and risk management solutions. Prior to joining RSA, he held senior technical positions at UUNET, Intuit, CSC, and the US Government, along with a string of technology-oriented startups. He holds a number of professional technical certifications, including the Certified Information Systems Security Professional (CISSP) certificate, and has presented on RSA’s behalf, both domestically and internationally, at cybersecurity events sponsored by Gartner, FS-ISAC, ISSA, ICI, (ISC)2, ISACA, InfraGard, HTCIA and other organizations.
Measuring Security: How Do I Know What a Valid Metric Looks Like?
There is no universally accepted method to measure security. So how do we translate operational measurements into meaningful security metrics for the business? Doing so effectively is essential, because you can’t manage what you don’t measure. This session will touch on the following general questions: Why are security metrics important, from both a compliance and an operational perspective? What are some best practices to keep in mind when selecting security metrics? Does your audience(s) dictate which metrics to select? What behaviors are you trying to influence with these metrics? What are some unexpected sources of security metrics? How should you communicate those metrics internally within your organization for maximum impact? Are there any examples of poor metrics which should be avoided in most cases?