As a respected cybersecurity strategist, Caroline Wong believes in the power of data and metrics to gauge the effectiveness of a company’s security program. So what data point or metric might one use to measure Wong’s contributions to cybersecurity?
You might go by number of job titles she’s held. Currently, she serves as chief strategy officer at on-demand pen testing company Cobalt.io. Previously she was director of security initiatives at software security managed services firm Citigal, director of global product management at Symantec, senior manager of game developer Zynga’s security program, and global information security chief of staff and manager at eBay.
Another metric to measure Wong’s impact on the industry might be the number of innovative security metrics she’s recommended for organizations.
“Some security professionals make decisions and recommendations based on things like opinion and gut instinct, which I don't entirely discredit,” said Wong. “But I do think that the best way to make a decision is with the gut instinct and the bias and the opinion of an experienced practitioner in combination with relevant data.”
Developing metrics from data, said Wong, allows security teams “to prove our value, and continue to justify our existence,” as well as the technology initiatives they recommend to corporate leadership.
Wong believes security metrics “absolutely must” be business-aligned. However, she said it shouldn’t be essential to demonstrate a security initiative’s ROI, which can be difficult to quantify and hard to prove. In this case, the data simply isn’t there.
But “metrics doesn't always have to be hard technical numbers,” said Wong. For instance, companies can create metrics based on observable outcomes. “It might be things like, for example, ‘Can I, as a security leader, get my executive team at my organization to agree that it’s important for us to reduce the probability that attackers can cause critical applications to stop functioning?’” said Wong.
Survey results are also useful for developing security metrics, Wong added. For instance, Cobalt.io measures security awareness on its team by creating a Security Net Promoter Score metric, based on a survey that asks employees if they are “confident that the infosec team is focused on the right initiatives at the right time.”
Percentage of incidents that are detected internally is another of Wong’s go-to metrics: In other words: Did your company have the security infrastructure in place to uncover past security incidents on its own, or did an external intel source have to warn you of them?
This particular metric represents “an evolution from the way security managers that I've worked with earlier in my career” would measure success, said Wong, noting that in the past, success meant meeting a quarterly objective of zero security incidents. “To me, that model is inaccurate, it’s outdated. It does not reflect the reality that incidents are happening all the time. It’s just a matter of: How are you dealing with them?”
Wong is also an impassioned educator and an advocate for workplace equality. Her contributions in this space could also be a metric to demonstrate her accomplishments.
Named 2019 Cyber Educator of the Year in the 6th Annual Cyberjutsu Awards, Wong is a contracted LinkedIn Learning educator, producing training courses on topics like OWASSP Top 10 vulnerabilities and cybersecurity compliance at work. She authored the textbook “Security Metrics: A Beginner's Guide,” as well as the children’s ebook “Appsec ABCs.”
Wong is also an advisor to the organization Spark Mindset, which provides virtual cybersecurity training camps to U.S. school students, especially girls and children of color.
As the person in charge of Cobalt’s HR department, Wong is proud to say that the company is inclusive in its hiring practices, with a staff composed of 40 percent women.
“When I get the question, ‘How do you do it?’ my answer is… simple but not easy,” said Wong. “Which is: You hire leadership that is not sexist and that is not racist. And then it happens naturally.”