Creating a Security Metrics Program: How to Measure Success - SANS ICS Security Summit 2019

Presenter: Jason Christopher, CTO, Axio Global, Inc. We’ve heard it all before: “Our team handles 500,000 cyber-attacks a day.” “Cyber threats are increasing.” “We track cybersecurity as a critical risk for our organization.” But what does any of that really mean? Creating measurements and metrics around cybersecurity is difficult, but so is building a sustainable metrics program, regardless of the subject matter. Early tasks, including measuring what is important and resource management, can be undermined by external pressures to tell a certain narrative or prove certain results. How can our industry create unbiased, yet compelling, metrics? What is the right-sized team or amount of resources for a metrics program? Is such a program sustainable? This presentation will cover not only the basics of cybersecurity metrics, but also lay the foundation for how s security team can create a new metrics program that goes beyond red/yellow/green or compliance. By moving to objective and repeatable metrics, utility security leaders will be able to not only justify programmatic improvements, but also track trends across environments and future projects. With research from the U.S. Department of Energy, the Electric Power Research Institute, and the National Institute of Standards and Technology, practitioners can build a defensible security metrics program across strategic, tactical, and operational levels of the utility. SANS Summit schedule: http://www.sans.org/u/DuS The annual ICS Security Summit brings together practitioners and leading experts to share ideas, methods, and techniques for defending control system environments. In-depth presentations and interactive panel discussions deliver real-world approaches that work and make a difference for the individuals fighting this fight every day.