Earlier this week I finally released The Security Metrics Workbook into the world. Its a short workbook focused on defining security metrics (what are we measuring and why) that I had been working on for months prior. At the time of this writing I have given out 1,000+ copies for free (both physical and digital).

Truth be told, when I hit publish on the launch post on LinkedIn, I was quite nervous what the reception from the wider community would be. For a book titled “The Security Metrics Workbook” the scope of content was actually rather narrow: defining security metrics. This is but a tiny slice of the pie of the entire process:

The reason I wrote this in the first place, however, is quite ironic. From my perspective there were three general areas of security metrics: Performance Indicators, Risk Indicators, and Control Indicators.

Most of the guidance I was reading, however, took a perspective in one (or maybe two) of these areas. The reality is that a metrics program encompasses all three, and they are used for entirely different purposes and outcomes. I believe that most of the disagreement on security metrics and how they are used (including the quantitative risk management movement) are rooted in this disconnect.

So, when I finally decided the best way to distribute my thoughts on the subject was longform writing, I sat down to create this thing with a couple goals in mind:

1. It cannot be long. I want almost everyone who starts reading it to finish reading it.

2. It needs to be pragmatic and useful.

3. Readers should DO something with it, not just consume it (hence the workbook form).

I sure hope I met those three goals. You’ll have to let me know.