ABSTRACT
Data-driven security refers to using measurable factors to drive a security program. A data-driven security program helps management understand that security is more than a must-have expense; it justifies costs to management by showing the proof of success that, when presented effectively, can garner the necessary buy-in from upper management and demonstrate a convincing return on investment. The National Institute of Standards and Technology defines metrics as tools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. In addition to establishing a baseline for comparing company metrics, metrics are also used to justify budgets, provide data for decision making, and improving security practices. A metric system incapable of assessing the latest data is useless. Placing more weight on more recent data is a common practice.
