You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS...
Transcript of You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS...
![Page 1: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/1.jpg)
Applying the Four Disciplines of Execution to an Information Security Program
Fourth Annual IT Hacking Conference
October 25th, 2017
You Can’t Manage What You Don’t Measure
Thomas Eck Director
Security Programs & Strategy
![Page 2: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/2.jpg)
Thanks
![Page 3: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/3.jpg)
It is wrong to suppose that if you can’t measure it, you can’t manage it – a costly myth.
-Deming If you can’t
measure it, you can’t improve it
-Drucker
![Page 4: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/4.jpg)
![Page 5: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/5.jpg)
![Page 6: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/6.jpg)
6
Case Study • Fortune 250 Company
• Internal Audit finding to leverage quantitative measurement of the organization’s security program
• EVP’s “Book Club” Reading Assignment
![Page 7: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/7.jpg)
The Measurement Challenge
![Page 8: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/8.jpg)
![Page 9: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/9.jpg)
![Page 10: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/10.jpg)
![Page 11: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/11.jpg)
![Page 12: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/12.jpg)
BUT…
![Page 13: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/13.jpg)
![Page 14: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/14.jpg)
![Page 15: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/15.jpg)
![Page 16: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/16.jpg)
16 Expert Knowledge A
bilit
y to
Dem
and
Act
ion
of O
ther
s A Challenging Paradox…
COMMUNICATION
![Page 17: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/17.jpg)
![Page 18: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/18.jpg)
![Page 19: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/19.jpg)
![Page 20: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/20.jpg)
![Page 21: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/21.jpg)
The Curse of Knowledge
![Page 22: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/22.jpg)
![Page 23: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/23.jpg)
23
Typical Scorecard Issues: A Summary • Too much of the wrong data presented to the wrong audience
• We shouldn’t assume knowledge or ability to interpret data correctly
• Fail to use concrete language that naturally leads to the actions you want taken
![Page 24: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/24.jpg)
24
![Page 25: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/25.jpg)
25
![Page 26: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/26.jpg)
(Another) Masterpiece Opportunity
![Page 27: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/27.jpg)
27
![Page 28: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/28.jpg)
ACTIONABLE RELEVANT CONCRETE DYNAMIC
![Page 29: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/29.jpg)
4DX =
![Page 30: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/30.jpg)
30
4DX Recap: 352 Pages in Four Bullets • Choose one or two (but no more) Wildly Important Goals in the form of
“change X to Y by this date”
• Choose your Lead Measures in the form of simple, measurable actions you can do each day that will help you reach your goals
• Keep a compelling Scoreboard which tells you at a glance whether you’re on target to hit your goals or not
• Hold regular accountability sessions to review the scoreboard and discuss progress
![Page 31: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/31.jpg)
31
Lead Metrics versus Lag Metrics
Current Weight
Calories In – Calories Expended
vs.
![Page 32: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/32.jpg)
32
Focus on What is Wildly Important • Create a universe of possible metrics, but present only those that support the
story you need to tell
• If you have to present everything, create an appendix or use an executive summary to avoid “burying the lede”
• Communicate what is necessary to keep people accountable
![Page 33: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/33.jpg)
33
![Page 34: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/34.jpg)
34
C A S E
The CASE Method: An Effective Methodology
opy nd teal verything
![Page 35: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/35.jpg)
35
CIS Consensus-based Metrics • Derived based on consensus of 150 industry experts
• Detailed definitions of 28 metrics across 7 different functions: o Incident Management o Vulnerability Management o Patch Management o Application Security o Configuration Management o Change Management o Financial Metrics
![Page 36: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/36.jpg)
36
CIS Consensus-based Metrics • Each CIS metric definition provides the following:
• Metric Name • Description • Type
• Management • Operational • Technical
• Audience • Business
Management • Security
Management • Security Operations • Operations
• Question • Answer • Formula • Units • Frequency • Targets • Potential Data
Sources • Visualization
Recommendations
![Page 37: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/37.jpg)
37
CIS Consensus-based Metrics Function Management
Perspective Defined Metrics
Incident Management
How well do we detect, accurately identify, handle, and recover from security incidents?
• Cost of Incidents • Mean Cost of Incidents • Mean Incident Recovery Cost • Mean-Time to Incident Discovery • Number of Incidents • Mean-Time Between Security Incidents • Mean-Time to Incident Recovery
Vulnerability Management
How well do we manage the exposure of the organization to vulnerabilities by identifying and mitigating known vulnerabilities?
• Vulnerability Scanning Coverage • Percent of Systems with No Known Severe
Vulnerabilities • Mean-Time to Mitigate Vulnerabilities • Number of Known Vulnerability Instances • Mean Cost to Mitigate Vulnerabilities
![Page 38: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/38.jpg)
38
CIS Consensus-based Metrics Function Management
Perspective Defined Metrics
Patch Management
How well are we able to maintain the patch state of our systems?
• Patch Policy Compliance • Patch Management Coverage • Mean-Time to Patch • Mean Cost to Patch
Configuration Management
What is the configuration state of systems in the organization?
• Percentage of Configuration Compliance • Configuration Management Coverage • Current Anti-Malware Compliance
Change Management
How do changes to system configurations affect the security of the organization?
• Mean-Time to Complete Changes • Percent of Changes with Security Reviews • Percent of Changes with Security Exceptions
![Page 39: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/39.jpg)
39
CIS Consensus-based Metrics Function Management
Perspective Defined Metrics
Application Security
Can we rely on the security model of business applications to operate as intended?
• Number of Applications • Percent of Critical Applications • Risk Assessment Coverage • Security Testing Coverage
Financial Metrics
What is the level and purpose of spending on information security?
• IT Security Spending as % of IT Budget • IT Security Budget Allocation
![Page 40: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/40.jpg)
40
Data Sources • Vulnerability scan data
• Policy enforcement data
• DLP and incident tracking tool data
• Phishing campaign results
• Reconciliation across disparate data sets o HR and Active Directory (Users) o HR and Phishing Campaign Data (Users) o Active Directory and Antivirus Database (Clients) o Active Directory and Vulnerability Scanning inventory (Clients and Networks)
![Page 41: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/41.jpg)
41
Differing Audiences: The Metrics Hierarchy • We want to focus on building lead measures at the Operational level
• We also want to build a hierarchy of metrics that directly show the relationship between metrics needed to support each audience
Overall Device Compliance
% Vulnerable Systems
# of Days to Apply Critical Patches Exceptions %
% Systems Aligned to Enterprise Standards
Windows % Exceptions %
Strategic
Management
Operational
Device Compliance Metrics
![Page 42: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/42.jpg)
Applying the Key Concepts
![Page 43: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/43.jpg)
43
Metric Metric Description and Associated Risk
Metric Value Target Value Status Recommended Action
Ability to Enforce Server Standards
Non-compliant devices are not aligned with established security standards enforced by Qualys. This metric measures the number of servers that are reporting health Qualys client installations.
97% >95% OK Review list of missing devices; identify root cause and take corrective action
Alignment with Wintel Server Standards
Non-compliant devices are not aligned with established security standards enforced by Qualys. This metric measures the percentage of devices with a “passing” compliance score within Qualys.
82% 90% Investigate Continue efforts to remediate non-compliant devices
Alignment with Unix Server Standards
Non-compliant devices are not aligned with established security standards enforced by Qualys. This metric measures the percentage of devices with a “passing” compliance score within Qualys.
87% 90% Investigate Continue efforts to remediate non-compliant devices
Alignment with VMWare Server Standards
Non-compliant devices are not aligned with established security standards enforced by Qualys. This metric measures the percentage of devices with a “passing” compliance score within Qualys.
98% 90% OK No action required at this time
Alignment with Network Device Standards
Non-compliant devices are not aligned with established security standards enforced by Qualys. This metric measures the percentage of devices with a “passing” compliance score within Qualys.
95% 90% OK No action required at this time
Alignment with Database Standards
Non-compliant devices are not aligned with established security standards enforced by Qualys. This metric measures the percentage of devices with a “passing” compliance score within Qualys.
65% 90% Action Required Continue efforts to remediate non-compliant devices
![Page 44: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/44.jpg)
44
Metric Risk Associated with Metric Metric Value Target Value Status Recommended Action
Active Directory
Aged Machine Accounts
Aged machine accounts may indicate broken or missing business processes associated with removing devices from the environment
12% <10% Action Required Trending positively. Continue investigating to remove aged machine accounts in Active Directory
Server-based Controls
Server Antivirus Coverage
All devices within the environment should maintain an up-to-date antivirus client installation to reduce malware-related threats
99% >95% OK No action required at this time
Use of Privileged Access Management Tools
We maintain a privileged access management tool to control, manage and track the proper use of administrative rights
83% >75% OK No action required at this time
Desktop-based Controls
Desktop Management Coverage
All desktops within the environment should have a valid desktop management client to facilitate patching, inventory and remote access
99% >95% OK No action required at this time
Desktop Antivirus Coverage
All devices within the environment should maintain an up-to-date antivirus client installation to reduce malware-related threats
94% >95% Investigate Trending negatively by ~1% – investigate why fewer devices are checking in over last month
Mobile Device Encryption
Non-compliant machines are not known to be running whole disk encryption and represent a potential data loss risk if the device is lost or stolen
95% >95% OK No action required at this time
![Page 45: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/45.jpg)
45
• Total Machine Accounts in Active Directory 11,161
• Windows Devices in Active Directory 10,953
• Devices with check-in within the last six months 8,918
13, 0% 534, 5%
1488, 14%
8918, 81%
Machine Account Aging
60+ Months 12-60 Months6-12 Months 0-6 Months
![Page 46: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/46.jpg)
46
Implementing a Metrics Program • Agreed upon relevant metrics to be collected, definitions, initial Wildly
Important Goal
• Identified data sources for metrics supporting WIG o Derived new data through reconciliation o Fully automated data collection
• Reviewed specific metric performance to establish realistic targets
• Agreed format for operational and leadership scorecards o Data trending and Board-level scorecard replacement planned for future phase
• Socialized with stakeholders outside of Security
![Page 47: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/47.jpg)
47
![Page 48: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/48.jpg)
48
Summary • Actionable, lead measures arranged hierarchically and tailored to tell the right
story to each audience
• Only choose metrics from your inventory that support your Wildly Important Goal(s) and highlight the actions requested of stakeholders o Use the CASE Method: leverage the CIS definitions where possible o Reconcile across data sets for new insights
• Eliminate the need for expert knowledge in order to interpret the data by explicitly stating the actions you want taken
![Page 49: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/49.jpg)
49
![Page 50: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/50.jpg)
Questions &
Answers
![Page 51: You Can’t Manage What You Don’t Measure...o Change Management o Financial Metrics . 36 CIS Consensus-based Metrics ... • Risk Assessment Coverage • Security Testing Coverage](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21b76650f2f36fad36fbeb/html5/thumbnails/51.jpg)