“Security Metrics: A Beginner’s Guide” Review
Book written by Caroline Wong
Book review by Ben Smith
I recommend this nonfiction book for the Cybersecurity Canon Hall of Fame.
Even the numbers-averse who lurk among us in the cybersecurity world eventually have to confront metrics, as either a publisher or a consumer.
There are a handful of security metrics-oriented books already reviewed for consideration here at the Cybersecurity Canon Hall of Fame – at the time of this review, examples include Jaquith, Hubbard, Hubbard & Seierson, and Freund & Jones. And if you, like me, already own all four of these rock-solid offerings, do you really need to make room for one more book on your metrics bookshelf?
Yes, you do! In fact, you should add Wong not as number five on the above list, but as number two. But more on that later. For now, know that this book may well be your one best single metrics resource if you are trying to stand up a metrics program, or if you need to diagnose why your current program is not performing as expected.
The author starts with the basics: why do we even attempt to measure security at all? Good metrics accomplish many things simultaneously. They provide visibility into your information security program, create a common language or vernacular so that everyone in your metrics reporting chain is on the same page, enables improvement through comparison and tracking over time, and can be leveraged as effective tools when budget time rolls around.
After a short review of security surveys and statistics to illustrate why metrics matter today, the author moves on to one of the best tests we can deploy when we’re thinking about new metrics: the “who cares?” test. Your audience always matters! If you think you’ve found the next great metric which will best help you tell your story, the author advises finding someone who should care about that metric, and asking if they would use the metric if provided to them regularly. Many a metrics program has failed after discovering that the numbers provided (after a lot of work to create them!) are not useful for the intended audience.
Looking at this book through the eyes of a security metrics practitioner looking to become a better business communicator – perhaps you’re been looking for ways to make a more effective impact on your business – by far the two most valuable chapters are dedicated to identifying key messages and key audiences, and defining a communication strategy. These two chapters focus on honing your business relationship skills, where you’ll learn about the importance of identifying and lining up key stakeholders, understanding their goals (which – surprise! – may not be the same as your goals) and what it is you need those stakeholders to approve, keeping your message consistent and in “the language” of your organization, and the importance of avoiding fear, uncertainty and doubt.
When it comes to communicating, regardless of what you may be presenting, be it metrics or some other topic, it’s all about understanding your audience. Too many of us focus on the great content or the new information we want to share, without first considering what our audience wants to hear, and perhaps even more importantly, needs to hear.
One other area in this book not directly addressed in many others is the concept of “dirty data” and the challenges introduced when ingesting data sets from multiple systems. The author makes an especially important point in noting that dirty data often points to broken business processes – and it’s the identification and remediation of these broken processes which should be considered a side benefit to any metrics program.
Additional chapters are dedicated to analytics (including a short case study), project management, defining objectives, automation, and other areas, all on-topic and appropriate for consideration as part of your own metrics program. The book closes out with a fourteen-page appendix of questions designed for you to ask in making sure that you are indeed headed in the right direction with your metrics program.
In short, this one book casts a wide net and succeeds in its goal. Is it The One be-all-and-end-all resource for security metrics? Well, no, it’s not – but it is one of best early resources you should consume once you decide to build out your metrics program, or to fine-tune an existing program. This book recognizes we all live in the real world and provides explicit guidance to set you up for success with your program.
Now that I’ve (hopefully) made the case for you to add this metrics book to your bookshelf, let’s talk about the order in which you should consume this book. I almost always recommend starting with Jaquith in this space for a solid foundation on security metrics generally. Rather than proceeding directly to the more-targeted Hubbard, Hubbard & Seierson, and Freund & Jones – and let me emphasize, these are all worthy – make Wong your number two purchase, especially if you are a real-world practitioner in the metrics space