How Do Security Teams Measure What Really Matters?

In our last Super Cyber Friday, "Hacking Metrics That Matter: An hour of critical thinking about finding what you need to measure to improve your security program," we explored how to differentiate meaningful metrics from vanity metrics, how security teams can use data to tell a compelling story to the business, and which frameworks can help organizations measure security more effectively. Joining us for this discussion were Frederico Hakamine , technology evangelist, Axonius and James Killgore , senior manager, information security, WideOrbit .

HUGE thanks to our sponsor, Axonius

Watch the full video here of our discussion here

Watch the Axonius demo

Join us next Friday (02-28-2025) for “Hacking the Modern Audit”

Super Cyber Friday will be back next Friday, February 28th, 2025 for our discussion “Hacking the Modern Audit: An hour of critical thinking about improving quality and reducing cost to this critical process.”

It all starts at 1 PM ET/10 AM PT.

>>> REGISTER for 02-28-2025 Super Cyber Friday <<<

Did you know that we have an events calendar? Visit our events page to subscribe so you can stay up to date on Super Cyber Friday and other CISO Series content.

Best quotes from our guest

"Key risk indicators are the vulnerabilities or threats that are present in your environment, but they are not necessarily exploited. There's a risk or a likelihood that they will be, and risk scoring for that is amazing." – Freddy Hakamine, Axonius

"A great security metric isn’t just about risk, it’s about how well your controls are actually working. It’s not enough to have EDR deployed, you need to measure how effective it is in stopping threats." – Freddy Hakamine, Axonius

"Security teams deal with immense pressure, and when something goes wrong, metrics provide defensibility. They help prove you did the right things, even if a breach happens." – Freddy Hakamine, Axonius

"Ignoring your own confirmation bias is a bad idea. Human beings tend to prefer outcomes that are favorable to them, and that can skew how we interpret security metrics." – James Killgore, WideOrbit

"When someone asks, ‘Are we secure?’ I ask them, ‘What do you mean by secure?’ They’re usually thinking about a specific risk, and that helps frame the right response." – James Killgore, WideOrbit

"Time to remediate vulnerabilities is a key metric, but not all vulnerabilities are created equal. A CVSS 10 with a public exploit is much more urgent than a low-risk issue. Prioritization matters." – James Killgore, WideOrbit

Quotes from the chat room

"Vulnerabilities aren't risks on their own. To show true risk, perform a business impact analysis. Remember: Vulnerability + Threat = Risk." - Aman S. , cybersecurity business engagement, vp, 爱思唯尔

"People often grab metrics without understanding how they'll use them. This only leads to confusion and the question, 'So what?'" - ?? Bryn Standley-Ossa , customer success manager, Expel

" Quarterly, review your metrics to ensure they're still necessary and providing useful business data." - James S.

"Meet with sales/marketing to understand their key metrics. You'll likely find common ground where security can add value." - Duane Gran , director of information security, Converge Technology Solutions Corp.