I’ve always been interested in using metrics to present a pattern and see if action could be taken from them. I’ve seen many organizations using metrics, but I can’t say I’ve seen an impact on the organization because of them. An example would be, “As you see here in the graph, phishing attempts were highest on Thursday.” I was always left with the feeling “So?” and “Now what?”. Nor when metrics are presented did I ever see movement because of it. I feel that the metrics I have experienced up to this point of my career just haven’t been impactful.
I look up to Expel.io a lot. Some of their blog posts are great, and in some ways, I wish I could sit in their environment and learn. One person in particular whose tweets and blog posts I find interesting is Jon Hencinski. Hencinski has done a series with his colleagues on metrics which can be found here https://expel.com/blog/performance-metrics-measuring-soc-efficiency/
I tell you all this because the reason for getting this book is maybe sparking that “ah ha moment” and maybe for metrics to start clicking for me. The predecessor book “How to Measure Anything in Cybersecurity Risk” had high reviews, and I thought I would take a chance on the newer book. Unfortunately, nothing had been sparked by reading this. I don’t think it’s the author’s fault by any means, but it just didn’t help me understand metrics any better where I can use them practically. I feel like I’m just doomed to not understand how they can be used practically. With that in mind, I’ll still give my perspective on the book.
I have to say you must get a physical copy of the book. There’s no way audio is an option here. A good half of the book consists of graphs and code. Yes, there’s probably more code in here than you would think. The book is filled with so much code, which is awesome. If you want to follow along, you can easily do what he’s talking about. I would skim through the code’s comments mostly to try to understand what was happening, but never had I sat down with this book and followed along by writing code. The amount of graphs is tremendous too. Every code example has a section on what it would look like if you put in said data. Some graphs were super interesting; I would never have considered looking at the data that way. The one issue about the book is that everything is in greyscale, which makes the graphs difficult to read.
The book’s most enjoyable part for me is the little stories at the start of each chapter that would tell how metrics were used to determine things in history. From identifying bomber patterns, gambling, to even identifying sources of cholera outbreaks. I found it fascinating and, in some ways, I wish the book had more of these. The stories start to become less and less frequent the further you get in the book. I would love to see a book with 90% stories and 10% details about metrics.
The book, for me, was a hard read. I don’t have much background in this field, and maybe that’s some of my problem. Terms and acronyms are being thrown around that aren’t second nature to me, so trying to remember what HID and ROPE are and how they’re being used would go over my head.
I can’t recommend or not recommend this book for somebody. There might be some really good material in there and could trigger many new ideas for a security organization to track. I’ve read the Amazon reviews, and people are excited about this book. For me, it just didn’t click. I can say this, if you have no metrics background either from work or school, this book is going to be rough. I’ll keep reading blog posts, books, and whatever on this topic because I believe if done right, metrics could drive a security department in the correct direction, but until then, I’m just going to continue to search until I find that one thing that will make this all click for me.