One of the most difficult aspects of managing risk in information assurance (IA) is that our statistical information is so poor. We don’t know about security breaches that we have not noticed; we ...

The National Defense Authorization Act for Fiscal Year 2017 (2017 NDAA) requires the Department of Homeland Security (DHS) to develop an annual report containing 43 specific metrics to measure the ...

For years, organizations have relied on traditional security metrics to measure their risk posture. Service-level agreements (SLAs), issue closure rates, and compliance checklists dominate dashboards, ...

For security professionals, two free risk-management guides out this week provide directions on how to establish corporate security metrics, as well as tips on organizing risk-assessment and ...

As this newsletter hits the wire, I will have just contributed my part to a panel discussion at the RSA Conference on the subject of IT security metrics. Security and compliance metrics are becoming a ...

With the US Securities and Exchange Commission requiring CISOs and boards of directors to increase the level of transparency around their organizations' cybersecurity capabilities and to speed up ...

The rising threat of cyberattacks has cranked up the pressure for CISOs right at the heart of business resilience. But their ...

The Government Accountability Office (GAO) has released a report indicating that the implementation of the Federal Information Security Modernization Act of 2014 (FISMA) by federal agencies remains ...

I am excited to join the team of security contributors on CSO Online and launch the “Security by Numbers” blog. I’ve been focused on computer and information security for my entire 20 year career and ...