As a security team, you are what you measure. The problem is that too many security teams are counting vulnerabilities, not measuring risk. It’s time we examine how vital it is for security teams to establish risk-based metrics, while offering some examples of both the right and wrong measures to use.
Why is the distinction between these approaches so vital? It’s essential for security teams to understand the spectrum of risk, based both on the likelihood of an incident and the potential damage that may result.