• United States



A focus on security metrics

Feb 16, 20072 mins
Data and Information SecurityIT Leadership

How do we measure effectiveness in the field of information security? As I’ve explored information security, improvement efforts and how to measure progress over the past few years, the only consistent answer I’ve found is – it depends. Given how the very broad topic of information security, that is in many ways a comforting answer.

A CSO or CISO might be attempting to apply Return on Investment techniques or might be taking an approach that applies the Balanced Scorecard techniques to security, but in some organizations only regulatory compliance may matter. The operational security teams at various companies will likely be using some form of risk management process – though whether they measure relative results or specific financial results will also vary.

If instead you talk to home users, they’re more likely to think about effective security in terms of personal experience and whether they’ve recently been infected with malware or spyware. On the other hand, how do you rate the security of software vendors? Is by how much time you spend patching? Number of vulnerabilities? How much time your software is exposed without a patch? And where do you get your metric information?

I am excited to join the team of security contributors on CSO Online and launch the “Security by Numbers” blog. I’ve been focused on computer and information security for my entire 20 year career and in my current role as a Director at Microsoft, I’ve become fascinated by how to measure security progress, what it means to different audiences and finding methodical, repeatable metrics to determine where perception ends and reality begins, when it comes to security.

I hope to create a forum for discussion here where we can have fun discussing all manner of security topics, but with the recurring theme of seeing if we can make it practical, useful and measurable. I expect to learn from this experience too, so if you have thoughts or questions – send comments my way and we can dig into them together.

Best regards ~ Jeff

Jeff Jones is a 24-year security industry professional that has spent the last several years at Microsoft helping drive security and privacy progress as part of the Trustworthy Computing group. In this role, Jeff draws upon his security experience to work with enterprise CSOs and Microsoft's internal security teams to drive practical and measurable security improvements into Microsoft process and products. Prior to Microsoft, Jeff was the vice president of product management for security products at Network Associates where his responsibilities included PGP, Gauntlet and Cybercop products, and several improvements in the McAfee product line. These latest positions cap a career focused on security, managing risk, building custom firewalls and being involved in Darpa security research projects while part of Trusted Information Systems. Jeff is a frequent global speaker and writer on security topics ranging from the very technical to more high level, CxO-focused topics such as Security TCO and metrics. Jeff is also a contributor the Microsoft Security Blog ( and writes on a wide range of personal interests (e.g. books, poker, gaming) at