The Metrics Manifesto: Confronting Security with Data

"You wouldn't need a manifesto if everyone already agreed with you."Despite the title (and that glorious sentence), this book isn't polemical -- but it is confident, and it is right.Cybersecurity experts may be tempted to posit that the landscape has become so uncertain that it's impossible to reason numerically. Rich Seiersen, Chief Risk Officer at Resilience Insurance, hammers home that the opposite is true: analytical methods are needed precisely because of uncertainty.He does this without any hand-waving: this book is a metrics book, mathematical in an unapologetic way. But security teams will thrive in their understanding of risk if they work through this book. And those who like to learn by doing will also gain a side benefit from the crisp interplay of code, narrative, and instruction.

This is the most comprehensive, thoughtful, and complete strategy for how security organizations can lead with metrics. As a former CISO with more than 10 years of operational experience, I am often flabbergasted by the lack of organizational maturity and discipline security teams have managing the metrics that matter. The Metrics Manifesto is the definitive canonical thesis for how security organization can deliver outcomes rather than outputs. I’m so excited to be an evangelist of this kind of strategy throughout my career.It. Just. Works.

If you are an information security practitioner, you will find this book useful, but you may also need to "take it slowly," as the contents gets denser the further in the book you get. My gripe with this book and the reason I took a star off is its poor printing quality. I purchased the Kindle version of the book first and decided to get the hard copy to read it away from yet another screen and to have access to well printed color graphs. I was wrong. It looks like Wiley, a major publisher, no longer bothers with quality of print. The paper is newspaper-cheap and the illustrations are grayscale versions of what appears in the digital copy in color. Therefore, I am going to stick to my Kindle copy and am returning the hard copy.

I was tasked to show the value of a program within our security organization. I am relatively new to security space but an experienced data scientist so had to learn what is type of metric important for executives and this book got me what I needed. A very detailed approach and security focused data scientists would love this book.

To explain his thesis, Richard Seiersen pulls in a variety of useful stories and examples from the metaphorical right down to practical code. He takes the reader through the basics first, not just security, but of insurance and how to think about probabilities. Anyone trying to tackle security metrics without understanding how probabilities work or how the insurance industry approaches risk is lacking an important foundation. Seiersen explains these fundamentals and then shows examples of actual R code.Metrics in security are sorely lacking and Seiersen is on the forefront of changing this.

The author takes you through a practical and hands-on approach, exactly what I was looking for. My entire team went through a couple of chapters and they were impressed with the depth of information this book provides. This book is going to help a lot of security practitioners out there!

While detailed in some aspects, I was disappointed at the lack of pragmatism and focus. Too much extraneous information made this painful to read.

Loved the way the book is structured and very well written.Follows the end to end approach on performing analysis on key security metrics. The code is easy to understand.

Impecável!