Creating a Security Metrics Program: How to Measure Programmatic Success

Описание: We’ve heard it all before: “Our team handles 500,000 cyber attacks per day.” “Cyber threats are increasing.” “We track cybersecurity as a critical risk for our organization.” But what does any of that really mean? Creating measurements and metrics around cybersecurity is difficult, but so is building a sustainable metrics program, regardless of the subject matter. Early tasks, including measuring what is important and resource management, can be undermined by external pressures to tell a certain narrative or prove certain results. How can our industry create unbiased, yet compelling, metrics? What is the right-sized team or amount of resources for a metrics program? Is such a program sustainable? This presentation will cover not only the basics of cybersecurity metrics, but also lay the foundation for how security teams can create a new metrics program that goes beyond red/yellow/green or compliance. By moving to objective and repeatable metrics, utility security leaders will be able to not only justify programmatic improvements, but also track trends across environments and future projects. With research from the U.S. Department of Energy, the Electric Power Research Institute, and the National Institute of Standards and Technology, practitioners can build a defensible security metrics program across strategic, tactical, and operational levels of the utility.


Jason D. Christopher is the Chief Technology Officer for Axio. His responsibilities include providing technical leadership on security and resilience issues relevant to Axio, its partners, and clients, and the development of all Axio technology platforms for security metrics and benchmarking.

Prior to Axio, Jason led the research for cybersecurity metrics and information assurance at the Electric Power Research Institute. Previously, he was the technical lead for cybersecurity capability and risk management at the US Department of Energy, where he managed the Cybersecurity for Energy Delivery Systems Operations program, which included the Cybersecurity Capability Maturity Model and other collaborative efforts. Jason also served as the program lead for both Critical Infrastructure Protection Standards and Smart Grid Security at the Federal Energy Regulatory Commission.

Mr. Christopher has worked on a variety of infrastructure projects, particularly in the field of industrial control systems design and implementation. He has also researched and designed technology systems across multiple industries, including energy, water, transportation, and communications. He has been a representative on the Federal Smart Grid Task Force, the Critical Infrastructure Protection Committee (CIPC), and other technical committees.

Independent of his work at Axio, Jason is a member on the Institute of Electrical and Electronics Engineers (IEEE-USA) Energy Policy, Communications Policy, and Research & Development Policy Committees. Over the past decade, Jason has focused on the development of cybersecurity standards and practices for the nation's critical infrastructure.

Outside of the workplace, Jason focuses on Science, Technology, Engineering, and Mathematics (STEM) education issues. He has lectured at several universities across the country and developed cross-disciplinary courses focusing on resilience, sustainable energy, and community design.

Mr. Christopher holds a Bachelor of Science and Master of Engineering from the State University of New York at Binghamton, and Master's of Engineering degree in electrical engineering from Cornell University.


@jdchristopher