I spent some time earlier this week at mini-metricon, a workshop that was inspired by the success of Andrew Jaquith’s security metrics mailing list and the larger Metricon which is held each year in conjunction with the USENIX Security Conference. In essence members of the mailing list gather each year on the Monday before RSA and share what they are doing with regards to security merics within their organizations.
It was a great event, where a lot can be learned in a very short period of time. So far, we’ve already had some great presentations from a variety of large companies such as eBay, Google and Kaiser Permanente to name just a few. The morning will close out with Andrew Jaquith hosting a CISO Mashup panel which should be interesting as well.
The highlight of the afternoon was a panel presentation on “Metrics from Real Data” featuring Wade Baker from the Verizon Business Intelligence team, covering the highlights of the recently released 2009 Data Breach Investigations Report, Jeremiah Grossman of Whitehat Security discussing “Top Website Vulnerabilities” and Bill Pankey on “Security Awareness Metrics”.
We also had panels on Risk Frameworks and another on Models. All in all, it was a great event and I’m already looking forward to Metricon 4.0 this summer. To see more about what you are missing, check out the full agenda for today which has been posted to the Security Metrics website. Additionally and I’m told that the most of today’s slides will also be posted there as well. Twitter conversations are being tagged with #minimetricon.