Darbyshire Tara - Security metrics: a beginners guide

Security Metrics

A Beginners Guide

An extraordinarily thorough and sophisticated explanation of why you need to measure the effectiveness of your security program and how to do it. A must have for any quality security program!

Dave Cullinane, CISSP, CISO & VP Global Fraud, Risk & Security, eBay

Beginners in security need a guide that manages complexity without sacrificing detail. Wongs remarkably clear, comprehensive manual delivers what they need.

Richard Thieme Author of Mind Games and Islands in the Clickstream and global speaker on the impact of technology

Caroline Wong, CISSP, was formerly the Chief of Staff for the Global Information Security Team at eBay, where she built the security metrics program from the ground up. She is well known for her expertise in the area of security metrics and has been a featured speaker at industry functions, including RSA (USA and Europe), ITWeb Summit (South Africa), Metricon, the Executive Womens Forum, ISC2, and the Information Security Forum. Caroline contributed as a technical reviewer to the Center for Information Security Consensus Metrics Definitions. She has also worked with the Cloud Security Alliance to define metrics for the cloud computing space.

Caroline graduated from U.C. Berkeley with a B.S. in Electrical Engineering and Computer Sciences, has a Certificate in Finance and Accounting from Stanfords Executive Education Program, and is CISSP certified. She was awarded the 2010 Women of Influence One to Watch Award by the Executive Womens Forum.

Betsy Nichols is the CTO and Co-Founder of PlexLogic LLC, which offers a Metrics-On-Demand service called MetricsCenter, and is the original creator of MetricML. MetricsCenter implements both a for-profit security metrics web site at www.metricscenter.net as well as an open and free public resource for security metrics at www.MetricsCenter.org . MetricML is an open, web servicesbased framework for creating, collaborating, and sharing metric definitions and data. Betsy is an active participant in many public, community, and private enterprise security metrics projects in addition to helping initiate the CSA working group. Betsy earned her Ph.D. in Mathematics at Duke University and her undergraduate degree at Vassar College.

Lynn Terwoerds is the Director of Compliance at Microsoft Corporation. Highly respected in both business and technical circles, Lynn is an active member of the Cloud Security Alliance and leads its Cloud Security Metrics working group.

Before joining Microsoft, Lynn was Vice President of Business Development for SafeMashups, where she maintained a focus on developing and managing strategic relationships. She was the head of Security Architecture and Standards for Barclays global retail and commercial bank based in London. Prior to that, she spent more than eight years with Microsoft, leading efforts in security response, Trustworthy Computing, and critical infrastructure protection. Before entering the software industry, she worked with various solutions integrators, providing consulting services to Fortune 100 companies, giving her 20 years overall IT industry experience. Lynn is a CISSP, CEH, and holds a masters degree in Classics.

Jim Reavis is the President of Reavis Consulting Group, LLC, where he advises security companies, large enterprises, and other organizations on the implications of new trends, such as cloud computing, and how to take advantage of them. Jim has previously been an international board member of the ISSA, a global not-for-profit association of information security professionals, and formerly served as the associations Executive Director. Jim was a co-founder of the Alliance for Enterprise Security Risk Management, a partnership among the ISSA, ISACA, and ASIS, formed to address the enterprise risk issues associated with the convergence of logical and traditional security. Jim is helping shape the future of information security as co-founder, executive director, and driving force of the Cloud Security Alliance. Jim was recently named as one of the Top 10 Cloud Computing Leaders by SearchCloudComputing.com.

Tara Darbyshire is a founding board member of the Archer Foundation, a nonprofit charitable organization whose mission is to advance entrepreneurial achievement in Kansas, extend the reach of community service programs, and foster educational opportunities for students and single mothers. Prior to joining the Archer Foundation, Tara was a co-founder and the Executive Vice President of Business Development and Sales for Archer Technologies. Tara set the strategic direction for all sales programs and business development activities for the company since early 2001. Prior to joining Archer, Tara held the positions of Vice President of Sales and Marketing for eSecurityOnline, National Director of Sales for the Information Security practice of Ernst & Young, and Senior Sales Manager for MCI Telecommunications. Tara has more than 15 years of experience in strategic sales and business development with Fortune 500 companies and in managing and implementing successful sales programs.

A Beginners Guide

Caroline Wong

Copyright 2012 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher.

ISBN: 978-0-07-174401-0

MHID: 0-07-174401-0

The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-174400-3, MHID: 0-07-174400-2.

All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.

McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative please e-mail us at bulksales@mcgraw-hill.com.

Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.

TERMS OF USE

This is a copyrighted work and The McGraw-Hill Companies, Inc. (McGraw-Hill) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hills prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms.