How do we measure effectiveness in the field of information security? As I’ve explored information security, improvement efforts and how to measure progress over the past few years, the only consistent answer I’ve found is – it depends. Given how the very broad topic of information security, that is in many ways a comforting answer.A CSO or CISO might be attempting to apply Return on Investment techniques or might be taking an approach that applies the Balanced Scorecard techniques to security, but in some organizations only regulatory compliance may matter. The operational security teams at various companies will likely be using some form of risk management process – though whether they measure relative results or specific financial results will also vary.If instead you talk to home users, they’re more likely to think about effective security in terms of personal experience and whether they’ve recently been infected with malware or spyware. On the other hand, how do you rate the security of software vendors? Is by how much time you spend patching? Number of vulnerabilities? How much time your software is exposed without a patch? And where do you get your metric information?I am excited to join the team of security contributors on CSO Online and launch the “Security by Numbers” blog. I’ve been focused on computer and information security for my entire 20 year career and in my current role as a Director at Microsoft, I’ve become fascinated by how to measure security progress, what it means to different audiences and finding methodical, repeatable metrics to determine where perception ends and reality begins, when it comes to security. I hope to create a forum for discussion here where we can have fun discussing all manner of security topics, but with the recurring theme of seeing if we can make it practical, useful and measurable. I expect to learn from this experience too, so if you have thoughts or questions – send comments my way and we can dig into them together.Best regards ~ Jeff Related content opinion The Snake Oil Days of Internet Health By securityjones Sep 27, 2011 6 mins Business Continuity Data and Information Security opinion 5 Top Trends Redefining CSO Priorities By securityjones Aug 23, 2011 9 mins Identity Management Solutions Business Continuity Data and Information Security opinion Protecting the Supply Chain: The CSO Rides Shotgun By securityjones Aug 08, 2011 4 mins Business Continuity Data and Information Security Physical Security opinion Career Advice? One Word. Are You Listening? … Cybersecurity By securityjones Aug 03, 2011 3 mins Careers Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe