At the RSA Conference today, I attended an excellent panel discussion titled Y U NO HAZ METRICS? The speakers were David Mortman, Jack Jones, Alex Hutton, and Caroline Wong, and the panel was was moderated by John Johnson. The panel discussed risk management more than they discussed specific metrics, which was slightly different than what I expected. However, the panel surpassed my expectations.

A commenter towards the end of the session made an analogy which I thought was a good one. He said that risk management is like risotto. It has three basic ingredients, and you put them together and adjust the balance until it tastes good to you. In other words, no two risottos (or risk management programs) will ever be exactly the same. The commenter then brought up this follow-up concern: that we as an industry don’t even have an agreed-upon list of standard ingredients for our risk management risotto.

There are different risk management frameworks, which use and rely on different ingredients. However I think that Alex Hutton said it well:


Metrics are a critical part of a risk management system. Without metrics, it is impossible to tell whether the mitigation techniques and controls are working. In today’s world, you have an infinite number of threats and concerns to be worried about, and a fixed amount of time, money, and energy that can be spent. Without metrics, how can you determine where to spend that time, money, and energy? And how can you justify that the time, money, and energy was spent in the right place when you are served with a lawsuit because of a breach?

The last and possibly most important takeaway I’ll provide is this: useful metrics must relate to business value. Typically, risk management systems include metrics such as percentage of systems that are fully patched or amount of time it takes to apply a patch. These on their own are not useful metrics to a risk management system. They are only useful if they are tied back to things that are important to the business. So consider instead that the business impact of unpatched systems is that you could have a virus outbreak, and spend days restoring systems and handling the PR nightmare you’ve created. Or consider the business impact of having your e-commerce site down for three hours while you deploy patches.

This talk filled up and is being offered again today at 4:30 as an encore session here at the conference, so if you missed it, go check it out!