The 5 baselines any CISO must use.

Martijn Dekker
4 min readJul 15, 2022

In our ever faster changing world, CISO’s need to know whether their security programs are keeping up with the evolving threat landscape. Here are 5 baselines that any CISO should use to measure the effectiveness of their security strategy.

The BOOM framework

This blog is nothing more than a shameless plug for the book “The metrics manifesto” written by Richard Seiersen. In this awesome book, Richard describes the BOOM framework (Baseline Objectives and Optimization Measurements). He describes 5 baselines that are foundational for measuring security performance and that allow you to articulate clear and measurable objectives to measure whether your security programs are actually making your environment more secure or not. Next to defining these terms, it also contains tons of details of how to implement the BOOM framework, including source code.

The BOOM framework consists of the following 5 baselines: survival analysis, burn-down metrics, arrival rates, wait times and escape rates. The baselines are based on the now common understanding among CISOs that events will happen and not all issues can be prevented. These baselines are designed to look beyond just counting events, but measure resiliency improvements instead.

Survival Analysis

--

--

Martijn Dekker

Martijn has a PhD in pure mathematics, is top-executive, scientist and CISO with more than 25 years of experience pushing the limits of information security.