My university professors always sputtered the age-old maxim in class: “You can’t manage what you cannot measure.” And while my perky, barely-out-of-teenage-years ears absorbed the claim aurally, my brain never really could process what it meant. Sure, my numerous computer science classes kept me chasing an infinite pursuit of improving mathematical algorithms in software programs, but little did I know how to really apply these quantitative efforts to the management of anything, much less cyber.

So I bounded forward in my career in IT and software programming, looking for an application of my unique talents. I never found cyber measurement all that compelling until I found cybersecurity. What motivated me to look at a foundational way to measure what I did in cybersecurity was the timeless question that I and many of you get almost daily: “Are we secure from attack?”

The easy answer to such a trite yet completely understandable question is “No. Security is never 100%.” But some of you have answered the same way I have done from time to time, being exhausted by the inane query, with “Yes. Yes we are.” Why? Because we know a ridiculous question should be given an equally ridiculous answer. For how can we know? Well, you can’t—without metrics.

As my cybersecurity career developed with InfoWorld and Ernst & Young, while founding the company ...