A Workshop on Measuring What Matters

February 2015 • Podcast

Presenter Lisa R. Young, Michelle A. Valdez, Katie C. Stewart Interviewer Julia H. Allen

This podcast summarizes the inaugural Measuring What Matters Workshop conducted in November 2014, and the team's experiences planning and executing the workshop, and identifying improvements for future offerings.

Publisher:

CERT

Subjects

Measurement and AnalysisMeasurement and Analysis

Listen

Abstract

This podcast summarizes the inaugural Measuring What Matters Workshop conducted in November 2014, and the team’s experiences in planning and executing the workshop, and identifying improvements for future offerings. The Measuring What Matters Workshop introduces the Goal-Question-Indicator-Metric (GQIM) approach that enables users to derive meaningful metrics for managing cybersecurity risks from strategic and business objectives. This approach helps ensure that organizational leaders have better information to make decisions, take action, and change behaviors.

Katie Stewart, Michelle Valdez, Lisa Young, and Julia Allen, the developers and facilitators of this workshop, are all members of CERT’s Cyber Resilience Management team. Further details about this workshop can be found in our workshop report.

About the Speaker

Lisa R. Young

Lisa Young, senior member of the technical staff with the Software Engineering Institute of Carnegie Mellon University, has 20+ years of experience in the information technology and telecommunications industry. She holds the designation of Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and is experienced in IT governance, information audit and security, and risk management. Ms. Young teaches the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®) risk-based security assessment methodology at the Software Engineering Institute. Her current line of research provides guidelines for improving the way organizations manage the processes of security, IT Operations, business continuity, compliance, and audit to support the organization's mission and critical success factors.

Michelle A. Valdez

Michelle Valdez is a senior engineer within the CERT® Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. She is working on cyber resilience and risk management projects using the CERT Resilience Management Model (RMM) with CERT’s Federal government and industry customers. Valdez teaches the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®), Introduction to CERT RMM, and CERT RMM Lead Appraiser Bootcamp courses. She is also the lead for the new Measuring What Matters public course.

Prior to joining the SEI, Valdez worked for the Department of Defense Cyber Crime Center (DC3) responsible for the development of DC3’s requirements for supporting the Defense Industrial Base information sharing programs and also supported the Office of the Director of National Intelligence. She was formerly an active duty officer and investigator for the Air Force as a Special Agent with the Air Force Office of Special Investigations.

Valdez graduated Cum Laude from the University of Washington with a BA in Psychology and Society and Justice. She has a Master’s of Science in Justice and Public Safety from Auburn University at Montgomery and a Master’s of Science in Information Systems Technology from George Washington University (GWU).

Katie C. Stewart

Katie Stewart is a senior member of the technical staff within the CERT® Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Stewart has more than 15 years of experience advising clients in engineering, information technology, and telecommunications industries. Stewart’s current research interests include information security governance, risk management, and measurement and analysis. She holds a Bachelor of Science and a Master of Science in Computer Engineering (North Carolina State University) and has completed executive education at the Wharton School of the University of Pennsylvania. Stewart is a Certified Information Systems Security Professional (CISSP) and has served as an adjunct professor.

Julia H. Allen

Julia Allen is a principal researcher within the CERT® Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Allen’s areas of interest include operational resilience, security governance, and measurement and analysis. Prior to this technical assignment, Allen served as acting director of the SEI for an interim period of six months as well as deputy director/chief operating officer for three years. Her degrees include a Bachelor of Science in Computer Science (University of Michigan) and a Master of Science degree in Electrical Engineering (University of Southern California). Allen is the author of The CERT Guide to System and Network Security Practices (Addison-Wesley 2001) and moderator for the CERT Podcast Series: Security for Business Leaders. She is a co-author of Software Security Engineering: A Guide for Project Managers (Addison-Wesley 2008) and CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience (Addison-Wesley 2010).

Software Engineering Institute