From CSO:

The absence of good statistics limits insight into what constitutes good cybersecurity. “If I gave you $5 million and said, ‘Spend this on improving the security of an enterprise,’ the average system couldn’t actually put numbers to a proposal to decide whether or not to do threat hunting or a better training of employees,” Paul Rosenzweig, senior fellow at the R Street Institute said at the RSA Conference. He argues for the creation of a bureau of cybersecurity statistics. “The ultimate goal here is to have metrics that are transparent, countable, auditable, effective, generally agreed-upon, widely used and scalable. We’re nowhere near that right now,” he said.

Like most cybersecurity policy experts, Rosenzweig thinks mandatory breach notification is overdue. “It boggles my mind that 15 years into this cybersecurity crisis, pretty much since 2005, 2006, we still don’t have an operating picture of how frequently and what sorts of breaches occur in the United States. We’re doing better than we did 15 years ago. But without a comprehensive breach notification law, we simply never get a sense of what’s actually happening on the ground. That makes it impossible to do trend analysis or gap analysis with any efforts.”