Case Study: Verizon Business Builds An Asset-Based Security Metrics Program

In response to the evolving security threat environment and heightened attention to regulatory compliance, many companies started migrating from a purely reactive security program to a proactive risk-based security program. This has led to new challenges for chief information security officers (CISOs), who now need to convert the risk management vision set by the business into an actionable strategy for the security and risk management program. Sara Santarelli, CISO at Verizon Business, started moving her security practice in this direction five years ago when her team was developing an IP risk dashboard that is driven by "asset-based" metrics. Not only does this dashboard measure the effectiveness of the risk management program, but it also translates these measures into an actionable risk mitigation strategy. With asset-based testing and measurements, the results also provide the basis and justification for new security investments and projects.