iso27diy-corp/Corpus/Literature/Jaquith - Security Metrics/Security Metrics that Count – for Twilio.md

Security Metrics that Count

Harini Rangarajan of Twilio (a customer engagement platform) has published a blogpost on 30-11-2021 called 'Security Metrics that Count'.

They found (by using metrics!) that different audience groups within Twilio were interested in different kinds of security metrics:

• Executive-level leadership wanted to understand the security posture across the organization
• VPs wanted to understand the security posture of their specific business units
• Product managers wanted to understand the security posture of their products
• Engineering managers wanted to understand how many open vulnerabilities were present and which ones their teams should prioritize fixing.

They distinguish metrics that capture the 'health' of the organization (security wise) and metrics that capture the maturity of the security program. These metrics are shown in a table in the blogpost.

To establish the current security posture of their products, they added extra fields to their (development) ticket managing system Jira for Vulnerability Category, Vulnerability Source and Business Unit. They then used this data to generate dashboards for different audiences.

Related:

• MyVault/👩🏼‍⚖️ Standards and Regulations/ISO 27001 2013/ISO 27001 C 9 Performance evaluation#9 1 Monitoring measurement analysis and evaluation
• ISO 27001 A 12.4 Logging and monitoring