Why can it be so hard to gain traction with security metrics? Metrics should help people make better, more informed decisions, right? We measure a lot of things to get them right and eek more efficiency, so shouldn’t security metrics do the same? Why isn’t this just obvious to leadership how important this is? This presentation takes a look at these questions, and more, in a slightly different light.
It will also explore a little about how people make decisions, from the group think to type A personalities that seem to dominate the decision making process. When logic and reason come in contact with personality and passion, the clash can be interesting at times and can make our jobs as security professionals a pain.
The discussion will explore ways to identify these potential clashes and still show value of security metrics by supporting a risk decision process.
It will also cover some of the basics of what security metrics can do for an organization from a small set of measurement capability to going for it with a full set of security program performance measures.
- Risk management and decision making processes.
- Basic security metrics and how to use them.
- Understanding risk tolerance and your organization's risk appetite.
About Eric Breece

Eric is an information security professional with over 16 years of IT and information security experience that ranges from application development to infrastructure implementation to program management. He has worked for companies that have provided a diverse range of experience that covers the healthcare, manufacturing, financial, government, legal, and consulting industries.
He has created the information security programs and has expertise with information security risk management, security auditing and regulatory compliance, policy/standards development, program and process development, enterprise architecture, and strategic planning. He brings knowledge on many regulatory requirements (e.g. HIPAA, GLBA, IRS 1075) and internationally accepted standards such as NIST, ISO27001, HiTrust, and others. He strives to always balance these types of requirements with core business objectives so security is an enabler, not a hindrance.