Security Metrics: Protecting Our Digital Assets of the Future


Authors:   Caroline Wong


The presentation discusses the challenges of implementing effective security metrics and proposes a model for measuring security that focuses on protecting value.
  • Security metrics are difficult to implement due to oversimplification or information overload
  • Effective security metrics should focus on protecting value
  • The shift towards valuing digital assets makes cybersecurity more important
  • The speaker shares an anecdote about implementing security metrics at eBay
  • The speaker offers a LinkedIn Learning course on security metrics
The speaker shares how eBay's security team collaborated with development teams to define a measurable objective for their common goal of improving security. They decided on a defect density score for each customer-facing website, and aimed for a 20% reduction in vulnerabilities over a year. By tracking and reporting progress every month, they were able to achieve their goal. The speaker notes that while security professionals may prefer a higher percentage, setting a realistic goal helped gain buy-in from decision makers and developers.


Abstract:Caroline Wong, Chief Strategy Officer at Cobalt, holds deep-rooted expertise in information security. She began her security career about 15 years ago, leading security teams at eBay and Zynga. Since then, she has run a global product management team at Symantec, and has been a management consultant at an application security company called Cigital, which was later acquired by Synopsys. In this talk, Caroline will discuss the different roles that people, processes, and technology play when it comes to securing the world’s digital assets of the future. In particular - Caroline will discuss security metrics, and the importance of establishing a framework to measure whether or not your organization’s cybersecurity program is accomplishing goals and maintaining compliance over time. This past year has seen more vulnerabilities than ever before, bringing new and urgent challenges for security leaders to adapt to on a daily basis. Covid precipitated a virtually overnight shift to remote working, catching many organizations by surprise. In fact - the U.N. reported that cybercrime increased by 600% during the pandemic. Due to this rapidly changing environment, organizations’ security metrics must evolve quickly, yet sustainably, to meet the needs of evolving vulnerabilities and technology. Throughout Caroline’s talk, she will outline the evolution of security metrics, as well as how organizations can set a framework for successful monitoring in today’s cybersecurity world. Major points will include: - Why effective security metrics focus less on the numbers and more on the overall stories and messages behind a program’s performance. - Why every organization has to determine a budget when discussing how to invest in areas, such as data security, for the long run. For example, if you put a dollar toward an information security program - that means you’re not putting that same dollar into engineering, marketing, sales, or other areas that might be more clearly understood by an executive. - Why security metrics provide quantifiable and qualitative insight into a security program’s performance, and can be an extremely valuable asset for security teams asking for additional investment and resources. Security metrics, and how they can be implemented within an organization, is a topic that has fascinated Caroline since early on in her career, leading to ample research and exploration. In fact, Caroline wrote a book with McGraw Hill in 2011 entitled “Security Metrics: A Beginner’s Guide,” and plans to produce a new OWASP course about security metrics over the next few months.