Security Metrics are often about the performance of information security professionals - tranditional ones are centered around vulnerability close rates, timelines, or criticality ratings. But how does one measure if those metrics are the rights ones? How does one measure risk reduction, or how sucecssful your metrics program is at operationalizing that which is necessary to prevent a breach?
Michael Roytman is responsible for building out Risk I/O’s analytics functionality, and has been selected to speak at BSides, Metricon, SIRACon and more. His work at Risk I/O focuses on security metrics, risk measurement, and vulnerability management and his work has been published in USENIX. He formerly worked in fraud detection in the finance industry, and holds an M.S. in Operations Research from Georgia Tech. His home in Chicago contains a small fleet of broken-down drones.