foreword

Unlike the many areas of business that sport obvious sets of metrics offering easy-to-understand, actionable intelligence—and where modern professionals can learn from numerous decades of others’ experience generating and acting on highly meaningful measurements—the world of cybersecurity is not only relatively young and quickly changing, but also one in which the most significant events that demand the greatest attention and should factor most heavily into KPI measurements are often invisible to those responsible for measuring them.

Cybersecurity professionals cannot simply measure the number of breaches, or the financial or operational outcomes thereof; cybersecurity KPIs must capture unseen risks, evolving threats, and preventative actions—many of which have results that are not only intangible in the short term, but also impossible to correlate to their original investments of time, money, and effort. How does one capture the fact, for example, that a particular investment within a cybersecurity program motivated an attacker to pursue a different target than originally conceived?