Book review: PRAGMATIC security metrics




I am absolutely delighted to announce the release of PRAGMATIC Security Metrics, a new book published by Auerbach/CRC Press.

It was my honor to collaborate on the writing with Krag Brotby, famed author of previous best-sellers on information security governance and security metrics and, for some years now, editor of the official CISM Review Manual for ISACA.  Many of you will know Krag from his CISM courses. Krag took quite a chance in agreeing to co-author a book with me. Although I am researching and writing security awareness materials all the time, this is first actual book I have written, aside from my PhD thesis (long since forgotten). I do hope I haven't let him down!

Writing the book took a lot of hard work between us, most of it online. Google Docs was invaluable in spanning the thousands of miles between Krag's home in California and mine in Hawkes Bay. We constantly fed off each other's creative energy, taking inspiration partly from other authors and academics in this field but mostly from our own practical experience, struggling to institute worthwhile security metrics for previous employers and clients.  

Metrics is arguably the hardest remaining nut to crack in information security.  It's a serious challenge even for the grayest of gray beards. Most of us have tasted occasional success with particular security metrics but found it elusive and difficult to repeat under different circumstances, most notably when moving from one organization to another. Exploring the reasons why that might be, and trying to find a universal approach to develop security metrics for any organization, was the task we set ourselves.

We have ended up with a very practical book, aimed at practitioners in the trenches.  There is precious little mathematics, number theory and statistics.  We've sprinkled it liberally with time-saving tips for busy information security managers and CISOs tasked with reporting to management on the organization's security situation. For C-suite executives and others, we have detailed the substantial governance, compliance and risk management advantages that stem from being able to measure and improve information security systematically and effectively, at last. The sequence of chapters reflects the metrics lifecycle, from specification and design through development to implementation, use, management and improvement. There are stacks of example metrics and extensive footnotes, too, so we encourage you to skim through the main text in order to understand the PRAGMATIC approach as a whole on a first pass, then go back to pick up on the more detailed notes and references when you are applying the method for real.

We have set up a website to promote and support readers of the book, along with a blog and FAQ.  

Order the book online now from Amazon/Book DepositoryCRC Press, Foyles, Booktopia, !ndigo, BokusRed Pepper, Powell’s, QBD and elsewhere. Please do let us know what you make of it. Honest, thoughtful reviews of the book are very welcome, along with feedback comments and improvement suggestions via the book's discussion forum. Help us advance the profession!