Learn effective strategies for communicating security metrics to executives in this 24-minute conference talk from BSidesLV 2015. Discover how to avoid common pitfalls such as presenting raw numbers and instead focus on crafting compelling narratives that demonstrate quick value. Explore techniques for simplifying complex data, including a server grading approach that balances risk versus effort. Gain insights on presenting vulnerability information in a way that resonates with different stakeholders, from security teams to server administrators and management. Master the art of driving patching success and telling impactful metric stories that align with executive priorities.
Overview
Syllabus
Intro
Looking for this? (wrong track)
Let's not do this...
Don't show raw NUMB-ers!
Email: Typical Presentation
Email: Better Story
Executives Need Quick Value
Explaining Vulnerabilities... Security Team see the servers as an unpatched mess... Server Admins see patching as a time waster.. Management tries to balance risk vs. effort...
Show (drive) Patching Success
Server Grading Approach Input from System Scanning • Missing Patches and Vulnerabilities by Seventy per system
Server Grades: simplifying data
Server Grades: showing data
Other Metric Stories There are many stories to tell
