The massive budgets devoted to cybersecurity need to come with better metrics.
Why is so much of technology security such a mystery? In particular, why does it have so few metrics?
I get it. For any given company, if there hasn’t been a breach lately, it’s assumed that defenses must be working. But shouldn’t there be better measurements of effectiveness? Some level of business accountability? A basic ROI calculation?