I think Brian reached out to me for this podcast in part because I’m a metrics fanatic; I am really into this stuff! My first book focuses on measuring the likelihood of having large losses like a breach. It’s apparently popular with the actuaries – although I have yet to be invited to their parties. My second book, which will be out shortly, focuses on security metrics with some simple data science sauce accessible to those who can type. And my new company, Soluble.ai, is rolling substantial security metrics capabilities as a by product of our multi-cloud visibility and automation platform.
I know I also share this with Brian and Verodin, that we want to help security teams answer fundamental security capability questions. For example: How do I know I have the right security capabilities? And how do I know they are working? Verodin shines on the second question!
Having answered those, try this on for size: Can I prove my capabilities are scaling? Meaning, am I able to cover increasingly more risk with increasingly less resources? Platforming is all about this, shouldn’t security be about it too? What if I have negative scaling without knowing it?!
If I can prove my capabilities are scaling, can I also determine if they are optimizing? Am I seeing a continuous and incremental reduction in security risk? Or, maybe I am getting incrementally worse and I don’t know it!
For me, this is metrics at its fundamental core. It’s also what I believe Verodin is all about – particularly when it comes to answering the “is it working?” question. They answer with high fidelity and in a scaled-out manner. Without them, you would be left with more traditional scanning and pen testing approaches to controls validation. And while those are great practices, they can’t give you the same coverage and consistency that Verodin gives.
I hope you enjoy this podcast as much as I enjoyed doing it. I am a huge believer in what Verodin is doing. They are trying to help you “Prove It!” when it comes to security. And that’s also what metrics do when done right. They help you prove that what you are doing works and is improving in an unambiguous manner.