Richard Seiersen - Author Of The Metrics Manifesto

Dale Peterson interviewed Richard Seiersen, author of new book The Metrics Manifesto: Confronting Security With Data. For security controls - what would I see that would show me it is working? How do I measure the effectiveness and efficiency of my security controls? Why is so much of the book code, and can the book be valuable if you don't go through the code? A lot of time spent on categories of metrics: burndown and survival, arrival and escapes, and wait time Most of the examples in the book are vuln prevention and remediation ... how will the statistics deal with increases due to SBOMs? ... how to address vulnerabilities with very different related risk? How to address the CISO wanting a single dashboard with OT and IT metrics with very different risk related to those metrics? The concept of value of / return on control and how some CISOs are dealing with cyber risk Using SME beliefs as data and a lot more Links The Metrics Manifesto The book's site with code and other info Richard Seiersen's S4x18 video: How To Measure Anything In Cybersecurity Risk