Information Security PRAGMATIC Metrics Training, Level II
LIVE, INSTRUCTOR LED
November 6-7, 2021
$695 Early Bird until October 15, 2021
$845 Register after Early Bird
Conducted by International Computer Security Expert,
Krag Brotby CISM, CGEIT
Why Attend this 2-day Live, Online Training?
This is the ultimate how-to-do-it training for security metrics. This boot camp training is absolutely packed with helpful tips. Attendees learn how to specify, develop, use, and maintain an information security measurement system (a comprehensive suite of metrics).
ABOUT THIS TRAINING
The Information Security (InfoSec) PRAGMATIC Metrics Training provides invaluable tools and essential guidelines necessary for dealing with security metrics.
Attendees learn how to develop a system of effective and meaningful measures that will enhance security and improve the cost-effectiveness of any security program.
This very timely security boot camp covers real-time, accurate, and reliable metrics that are critical to every security program, regardless of size. This is the ultimate how-to-do-it training for security metrics. It is packed with essential tips: attendees learn how to specify, develop, use, and maintain an information security measurement system (a comprehensive suite of metrics).
WHAT YOU WILL LEARN
Attendees of this boot camp training will take away a process, approach, and a set of tools to develop a system of effective and meaningful measures that will enhance security and improve the cost-effectiveness of any security program.
No profession has ever achieved status and credibility prior to developing effective metrics showing cause and effect, providing reliable prognostication and delivering the information needed by various parts of the organization to make informed decisions. Information security is no different. While practitioners frequently lament the profession’s lack of standing with business executives, we continue to fail to provide credible answers to essential questions and reliable evidence for the value of our craft. Most of us only provide management with obscure technical measures that do little to provide needed answers, actionable information or comfort, let alone assurance.
Based on the published book by Auerbach and co-authored by Krag Brotby and Gary Hinson titled PRAGMATIC Security Metrics, this intensive boot camp training is designed to provide a hands-on practical approach to developing, testing, and operating a set of metrics that actually support the business, providing management with the information needed to make crucial decisions on risk, security, control, assurance and governance.
While there are literally thousands of things that can be measured, the PRAGMATIC approach allows selection of the relatively few that are truly effective and provide a sound basis for making operational, management and strategic security decisions. This is accomplished utilizing a set of criteria defined by the PRAGMATIC acronym. A comprehensive set of maturity scales provide the measurements for each of the nine criteria resulting in a ranking to determine the optimal metrics options.
Attendees of this training will take away a process, approach and set of tools to develop a system of effective and meaningful measures that will enhance security and improve cost effectiveness of any security program.
ABOUT THE INSTRUCTOR:
This class is taught by renowned security expert, author of the official ISACA CISM Review Manual:
Krag Brotby CISM, CGEIT
Krag is the ’go-to’ computer security expert for mastering the CISM exam. He has successfully trained thousands of CISM candidates over the past 16 years, preparing them for the very difficult CISM Exam.
- Author of the official ISACA CISM Review Manual since 2005.
- Author of the CISM Glossary Document and the CRISC Glossary Document.
- Served on the ISACA Security Practice Development Committee responsible for exam question development.
- Edited the entire 1200 CISM sample question database, creating approximately 800 questions for the ISACA CISM QAE Book.
- Taught CISM courses globally during the past decade including: the US Pentagon, US Marine Corp, Navy and the Army.
- Frequent security expert practitioner/instructor at conferences globally and lectures on information security governance, metrics, information security management, GRC and CISM exam preparation throughout Oceana, Asia, Europe, the Middle East and North America.
Read Full Bio
1. Information Security Metrics
1.2 Measures and Metrics
2. Why Measure Information Security?
2.1 To answer awkward management questions
2.2 To improve information security systematically
2.3 For strategic, tactical and operational reasons
2.4 For compliance and assurance
2.5 To fill the vacuum caused by our inability to measure information security
2.6 For profit!
2.7 For various other reasons …
3. The Art and Science of Security Metrics
3.1 Metrology, the science of measurement
3.2 Governance and management metrics
3.3 Information security metrics
3.4 Other advice on information security metrics
4. Metametrics and the Metrics Lifecycle
4.2 The information security metrics lifecycle
- Requirements specification
- Business case
- Architecture and design
- Metrics development
- Testing the metrics
- Metrics management and improvement
5. Designing and Developing Information Security Metrics:
5.1 Metrics systems architecture
- Optimal metrics combinations
5.2 Criteria for assessing potential metrics: introducing the pragmatism index Background
- The fundamental issue with measuring information security
5.4 The PRAGMATIC criteria
P = Predictive, Prescriptive
R = Relevant, Reliable, Robust and Repeatable
A = Actionable
G = Genuine
M = Meaningful
A = Accurate
T = Timely
I = Independent and has Integrity
C = Cheap, Clear, Concise and Credible
5.5 A worked example: applying the pragmatism index in practice
- Breakout Practicum – ranking sample metrics using PRAGMATIC criteria with maturity scales
- Class Review – reviewing consistency and relevance of ratings
6. What to Measure
6.1 Shortlisting information security metrics using the pragmatism index
- Derivative measures, indicators and proxies
- Observer bias
- Observer calibration
6.2 PRAGMATIC metrics scoring examples
- Logical security metrics examples
- Personnel security metrics examples
- Physical security metrics examples
- Information security Key Risk Indicator examples
- Change and configuration management metrics examples
- Incident management metrics examples
- Information security control metrics examples
- Control objectives
- Business alignment of control objectives
- Controls policy
- Control relevance
- Control monitoring and testing
- Information security compliance and assurance metrics examples
- Quality assurance metrics examples
- Cloud computing metrics examples
- Security culture metrics examples
- Information security management and governance metrics
- Financial information security metrics
- Hybrid metrics examples
7. What Not to Measure
7.1 What gets measured gets done
7.2 Changing a culture
8.1 Key lessons and take-home messages
8.2 An action plan
This course is based on the published book,
PRAGMATIC Security Metrics; Auerbach ’13,
co-authored by Krag Brotby and Gary Hinson.
As this course is based on the book, it is strongly recommended that attendees read the book prior to attending the online course for the most benefit.
- Access to the online training class recording after the training is held.
- The instructor’s actual classroom presentation slides.
- Megamind Training Institute Certificate of Completion:
2-Day InfoSec PRAGMATIC Metrics Training (12 hours)
WHO SHOULD ATTEND:
This training class is designed to help IS professionals that are struggling to make sense of security metrics, or searching for better metrics to manage and improve information security.
A must attend for: ISM, CISO, CIO, CRO, COO, auditors, security operations, senior, middle and junior management level’s.
Anyone involved with information security would greatly benefit from this training.
Early registration is recommended as this course fills up quickly. To ensure admission, fees must be paid in advance.
ONLINE CLASS SCHEDULE:
Attend this live, instructor-led online training from your own personal working environment — from your home or your office via the internet.
All classes run 2 full days from 7:00AM-2:00PM (PT) except where noted.
There are two morning sessions and two afternoon sessions daily.
Each session is about 90 minutes long with a 15-minute break per session, and a 30-minute lunch break daily.
Pacific Time Zone: 7:00AM – 2:00PM
Mountain Time Zone: 8:00AM – 3:00PM
Central Time Zone: 9:00AM – 4:00PM
Eastern Time Zone: 10:00AM – 5:00PM
International Time Zones Vary According to Country
Cancellations will be accepted up to 10 working days before the scheduled course. After that time, no refunds will be given but substitutions may be sent at any time or tuition may be applied to a future training class.
Megamind reserves the right to cancel or postpone any scheduled training class.
FOR GROUPS OR TEAM TRAINING:
This class is available for group training:
private onsite -or- live, online training
For scheduling and pricing, email: firstname.lastname@example.org.