June 14, 2021

Security metrics for reporting

Is there a standard for security metrics that can be used for the purposes of reporting e.g. senior management? The purpose of the security metrics is to communicate risk over a period of time for different domains e.g. asset management, identity & access management, vulnerability management, etc.

For example:

* Number of managed vs unmanaged assets.
* Number of devices patched vs unpatched over a period of 90 days
* Number of active accounts vs inactive accounts over a period of 90 days
* Number of privileged accounts
* Number of security events vs incidents
* Number of users that have completed training vs those who haven’t
* Number of users who have clicked on simulated phishing emails



Those metrics are good but don’t mean much to an exec without what they SHOULD be


I think a better question would be how to become Sr management if you understand Sec.

Otherwise it’s like briefing Homer Simpson about situations that case Chernobyl level incidents.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.