In this episode I talk with Jim Kuiphof and Aaron Silver from Spectrum Health Information Security. We take a look at the last 5 years of the security program to glean some lessons learned about Security Metrics.
Talking Points:
There are three key principles in any security metrics program:
- It’s a Journey - You are going to have to be OK with taking a faceplant at first before you can mature and get quality metrics. Think of metrics are a ‘lifecycle’
- The ‘Why’ - What is the problem are you trying to solve e.g. How to effect change from your metrics. (Not getting numbers to just getting numbers)
- Build Partnerships - It’s a team effort. Invite help. Don’t do this in a vacuum. The first time a director sees a metric shouldn’t be in an all director meeting. Shaming isn’t going to help your cause.