Cybersecurity: The New MetricsBitSight's Jacob Olcott on How to Respond When the Board Asks 'How Secure Are We?'
"How secure are we?" That's one of the most common questions asked by boards and senior managers. But security and technology leaders do not always have ready answers, says Jacob Olcott of BitSight Technologies. Are they even using the right security metrics?
It's a real and growing challenge, says Olcott, BitSight's VP of Business Development.
"The challenge that CIOs and CISOs face is to be able to take what is a very complicated process, with lots of different metrics, and distill that information in a way that it can be consumed by senior executives and the board, so that they can understand 'Are we meeting standard of care in our industry? Are we performing adequately, or do we need to be investing more resources to improve our defenses?'"
And a common problem, Olcott adds, is that security and technology leaders often rely on the wrong metrics.
"I think people get caught up in only collecting what I refer to as the audit and compliance metrics," he says. "And they miss the opportunity to collect what is actually maybe even more significant, which is the operational effectiveness measurement."
In an interview about cybersecurity metrics, Olcott discusses:
- What's wrong with traditional metrics;
- How good metrics help benchmark against peers and rivals;
- Do's and don'ts for presenting security metrics to the board.
Before joining BitSight, Olcott managed the cybersecurity consulting practice at Good Harbor Security Risk Management. Previously, he served as legal adviser to the Senate Commerce Committee and as counsel to the House of Representatives Homeland Security Committee. He completed his education at the University of Texas at Austin and the University of Virginia School of Law.