Following the Wh1t3 Rabbit - Practical Enterprise Security

Enterprise Security organizations often find themselves caught between the ever-changing needs of the agile business, and the ever-present, ever-evolving threats to that business. At the same time – all too often we security professionals get caught up in “shiny object syndrome” which leads us to spend poorly, allocate resources unwisely, and generally de-couple from the organization we’re chartered to defend. Knowing how to defend begins with knowing what you’ll be defending, why it is worth defending, and who you’ll be defending from… and therein lies the trick. This blog takes the issue of enterprise security head-on, challenging outdated thinking and bringing a pragmatic, business-aligned, beyond the tools perspective … so follow the Wh1t3 Rabbit and remember that tools alone don’t solve problems, strategic thinkers are the key.

Rafal (Principal, Strategic Security Services)

Numbers Never Lie, But You May Be Asking the Wrong Questions

If metrics are your thing, and you run (or have a stake in) a software security program – or any flavor of security program actually — I invite you to check out this post. Then come see my talk at the RSA Conference 2014 in a few weeks. KPIs may change your outlook on what you do.

The subtle difference between metrics and insight

Mark Twain popularized the phrase: "There are 3 kinds of lies: lies, damned lies, and statistics"... well I think we can add a 4th to that affectionately known as "security metrics".  If you've ever reported security metrics, you likely know exactly what I'm talking about... here's a little insight.

Metrics, KPIs and making business sense of Information Security

What is the difference between a metric and a KPI?


If you're still reporting metrics to your management, you're probably wasting a lot of time, and accomplishing very little.  I know this from experience.  It's time to get Information Security some respectability and get off that hamster wheel - KPIs are your way off.

Technical Whitepaper - "Tracking Performance of Software Security Assurance - 5 Essential KPIs"

Hi everyone, today I'm happy to announce that my technical whitepaper titled "Tracking Performance of Software Security Assurance - 5 Essential KPIs" is available for public distribution!


You can get your copy right here, and feel free to share it, provide feedback in any of the many forums you can find me in, and discuss! I'd love your feedback on how to make the next version better.

Like 0day, But for CISOs

While we that lovingly embrace the term security nerd are forever chasing the next cool, sexy, 0day attack vector or breakage - your CISO probably gets more excited about "compensating controls" and things of that nature.  If you really want to make a CISO sweat, as them to show you the ROI on their security program!

Labels: KPIs| OWASP

KPIs - Key Performance Indicators: Why You Care

It's been a very interesting couple of weeks since we officially released my 5 Web App Security KPIs back on October 5th via the SANS ToolTalk webcast.  I've noticed that over the last month or so, I've had one of two types of conversations, so I'll sum them up here into a tidy blog post in case you're thinking about pinging me on the subject - or if you haven't heard yet.

Webcast: "Magic Numbers - 5 Essential KPIs for Web App Security"

Many of you have been asking me if we have a recording of the video from the SANS webcast from Oct. 5th. You're in luck ... because we just so happen to have it recorded.
About the Author(s)
Follow Us
Twitter Stream

Community Announcements
HP Blog

Technical Support Services Blog

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation