Explore effective strategies for communicating security metrics to executives in this insightful conference talk from BSides Nashville 2015. Learn how to avoid meaningless metrics and develop impactful presentations that drive action. Discover techniques for showcasing business impact, particularly in areas like email security and server patching. Gain valuable insights on simplifying complex data through server grading approaches and vulnerability measures. Examine real-world examples of metric stories, including a case study on antivirus performance improvement. Master the art of translating technical information into compelling narratives that resonate with management and support informed decision-making in cybersecurity.
Overview
Syllabus
Intro
What is this about? Avoiding meaningless metrics Finding better metrics • Improving communication; driving action
Looking for this? (wrong track)
Don't show raw NUMB-ers!
Losing the Executive Support NUMB-ers are what we like Large amounts of data which we know Represent transactions or events
Executives Seek Quick Value
Show Business Impact: email
Build Strong Images
Email: Typical Presentation
Email: Better Story
Email: Improved Story
Explaining Vulnerabilities... Security Team see the servers as an unpatched mess. Server Admins see patching as a time waster... • Management tries to balance risk vs. effort..
Show (drive) Patching Success Two activities which are hard to value: - Patching Configuration (when not for performance)
Server grades: simplifying data Vulnerability measures are typically too abstract - Computed by taking a "risk score" per vulnerability Total cumulative score for an organization does not
Server Grading Approach
Server Grades: showing data
Other Metric Stories There are many stories to tell - Ask what needs to change or improve
Story: AntiVirus Failed to Clean Red is "bad" and costly. It shows AV failed and the machine required a manual reimage. • The downward trend got attention and fixed in October!
