I just recently finished reading the excellent book, Security Metrics, Replacing Fear, Uncertainty, and Doubt, by Andrew Jaquith. Andrew has written a book, not that I would like to write someday, but a book about a topic that hasn’t been written about before, and he certainly has something (many things!) to say about it.
In fact, I have to make mention of a phrase that toally made me happy to see, since I rarely get such literary enjoyment from technical texts. On page 118, we have this gem: “perfidious outsourcers pilfering proprietary secrets.”
This book is definitely worthwhile for anyone who ever has to present security metrics as a part of their job. I would also recommend it for any security operations people who want to understand why some metrics should be gathered and how to better give your analysts and managers what they want. Likewise, any security operations people are likely the future analysts and managers anyway, so this makes for a very good early orientation to the important questions and how to appropriately answer them, let alone self-evaluate their own systems according to more appropriate metrics.