Skip to content ↓ | Skip to navigation ↓

As everyone readies themselves for a week of security revelry at the RSA Conference next week in San Francisco, not enough has been said about Metricon9, the annual conference dedicated to security metrics, which takes place on Friday, February 28.

Metricon is an annual conference for security professionals that is hosted by, a community website for security practitioners that focuses on bettering metric and analytics in order to more effectively measure the effectiveness of security efforts.

This year, Tripwire’s Chief Technology Officer Dwayne Melancon and Katherine Brocklehurst – Senior Product Marketing Manager – will be presenting a talk titled Security Visualized, which will look at strategies communicating highly technical information, metrics, and analytics to non-technical executives.

“Like the movie Moneyball, we’ve been working toward a single score that represents overall security posture – by division, by asset types, by business unit, by overall company, and also control data, etc.- plus the ability to drill down into underlying data for diagnosis” Brocklehurst said.

The challenge of gathering/aggregating, normalizing, tracking, and trending has been significant, not to mention making it visually useful and actionable to non-technical senior executives. To date we have vulnerability, security configuration, and malware defenses, with more security controls to add.

“We’d like to share where we are in this, and some lessons learned from our old days at nCircle with the Benchmark product,” Brocklehurst continued. “Response by customer executives who have seen the early adopter product have been incredibly positive.”

Brocklehurst has been in the network security field for nearly twenty years, and has been a speaker at RSAC, SANS, and the Ponemon Institute, and many more events. Lately she has been focusing on helping organizations connect security with their business through metrics, analytics, and security visualizations to help communicate to non-technical executive teams.

Melancon works with enterprises around the world to help them objectively connect security’s value to the business and establish metrics and methods to enable objective decisions and informed action in information security. He is a highly sought after speaker, and will also be presenting four sessions at RSAC.

The security industry as we experience it today is a fairly young business and is growing into more mature frameworks, processes, and modes of communication. The ability to balance security risk with business demands is more relevant today than ever.

“This talk is about the journey to more sophisticated methods of conveying highly technical information, metrics, and analytics to non-technical executives with a genuine need to know, but who may often have no background or frame of reference to understand the information,” Brocklehurst said. “How to truly communicate the attack surface, threat opportunity, and defenses in place? This is our topic.”

This year’s Metricon9 event is an incredible gathering of brilliant thinkers who work in qualitative and quantitative methods to measure security effectiveness, but Melancon and Brocklehurst believe more can be done to convey those measures to the less technically savvy business class of enterprise leadership.

“Given the rate at which organized and highly professional attacks are succeeding, it becomes more important than ever to be able to truly communicate security status to non-technical professionals at every level in the organization,” Brocklehurst explained. “Strong metrics, analytics, and actionable security visualizations are essential.”

Brocklehurst says everyone needs to better understand that security is not the exclusive domain and responsibility of the IT team, that it’s a shared responsibility for every corporate citizen.

“Defenses for both individuals and businesses must be made more real, understandable, and actionable so that the security risks and business demands can be appropriately calibrated, she said.

“As Tripwire has explored its portfolio of security controls, some underlying truths have surfaced, and we hope to share our journey to these realizations and provide a current look at our progress.”

Join Melancon and Brocklehurst at Metricon9, Friday February 28 at

The full speaker agenda is as follows:

  • Metricon 8 recap & “Breaking the mold of security metrics” (Pete Lindstrom / Bob Rudis)
  • Expecting the Unexpected: Using Public Vulnerability Data for Resource Planning (Kymberlee Price, BlackBerry Incident Response Team Incident Manager)
  • Methods for Large-scale Measurement of the Security of Internet Ecosystems (Christophe Huygens, Professor, Katholieke Universiteit Leuven)
  • Measuring Third-party Security Risk (Stephen Boyer, BitSight)
  • Seeing the Elephant – Using collected data points to design and roll out software initiatives (Geoffrey Hill, Artis-Secure)
  • Behind The Curtains of the SilverSky Report (Andrew Jaquith, CTO, SilverSky)
  • Behind The Curtains of the Verizon DBIR (Jay Jacobs, Verizon)
  • Security, Visualized (Katherine Brocklehurst, Tripwire)

picAnd be sure to join us at Tripwire’s RSAC Booth (3501) to get your free customized t-shirt printed on the spot, and listen to an array of in-booth guest speakers we have lined up. For the speaking schedule and information on how to obtain a free RSA Expo pass, see more details here.


Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


picDefinitive Guide to Attack Surface Analytics

Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.


Title image courtesy of ShutterStock