Managing Director, Markerbench

Andrew Jaquith is the Managing Director of Markerbench, a boutique consultancy specializing in cybersecurity. Andrew’s 25-year career as a CISO, CTO, executive, and cyber practitioner spans startups (with two successful exits), Fortune 100s, and global financial services firms. He was the CISO of Covington & Burling LLP. He has served as a Managing Director in technology risk and cybersecurity for Goldman Sachs and JP Morgan Chase, respectively. He serves as an Board Advisor to SecurityScorecard and as a member of the Technical Advisory Board of Panaseer. Andrew graduated from Yale University.

Andrew was most recently the CISO of Covington & Burling LLP, a $1.5B AMLAW 50 firm with 14 offices in the US, EMEA, Asia Pacific and China. At Covington, Andrew was responsible for cyber and physical security globally. During his tenure, his focus areas included shrinking the firm’s external perimeter, implementing new security tools, expanding and upskilling the security team, de-risking Active Directory, shifting security services to the cloud, and speeding up the firm’s IT operating tempo to reduce risk.

Andrew’s prior experience includes serving as the CISO of QOMPLX, Inc, a cyber-security startup focused on critical enterprise infrastructure. He was the global Cyber Security Operational Risk Officer for JP Morgan Chase, and was a Managing Director for Technology Risk Measurement and Analytics at Goldman Sachs. Andy’s earlier roles include as Chief Technology Officer (CTO) of the managed security services provider SilverSky. He has held senior security analyst roles at Forrester Research and Yankee Group, and was a co-founder of @stake, a pioneering cyber-security consultancy. Andrew wrote the best-selling and definitive book on security metrics (“Security Metrics: Replacing Fear, Uncertainty and Doubt”), used by a generation of risk professionals to connect security to the corner office.

Andrew graduated from Yale University with a BA in Economics and Political Science. He lives with his family in New York.

For technical details about how this website was made, see the Colophon.

Andrew Jaquith

Talking to Executives About Cyber and Technology Risks

Senior managers talk about risks, and not about threats or controls. To have better conversations with senior leaders, focus where the risks are coming from, and why. This post offers a vocabulary for talking about cyber- and technology-related risks and their causes.

11 min read ∙ January 31, 2024

Andrew Jaquith

Who Killed the Perimeter? Some Clues.

Enterprise network perimeters have been disappearing: at first slowly, and then suddenly, all at once and at knifepoint. If this were a game of Clue, I’d accuse the Ransomware Actor, on the Edge Device, with the Zero-Day.

9 min read ∙ November 14, 2023

Andrew Jaquith

Microsoft to CIOs: Drop Dead

Microsoft’s new advice for securing Active Directory does customers a disservice by focusing on the wrong things. Tomorrow’s “Zero Trust” and Azure roadmaps won’t stop today’s ransomware epidemic. Enterprises need to protect the Active Directory they’ve already got.

7 min read ∙ December 22, 2020

Andrew Jaquith

Why CISOs should Care About Cloud Drift

Drift metrics can help measure how well-managed an enterprise’s technology assets are. CISOs can mine data contained in mainstream cloud configuration tools to understand conformance or divergence from expected states.

7 min read ∙ September 25, 2019

Andrew Jaquith

SRE Metrics and Security Measurement

Google’s approach to measuring site reliability has much to recommend it. CISOs can steal a leaf from their book.

8 min read ∙ June 5, 2019

Andrew Jaquith

Five Lessons from a Decade of Security Metrics

The data revolution sweeping over IT has come to cybersecurity. CISOs can learn from their success disasters, instrument their controls, and write key risk indicators (KRIs) that resonate with their audiences.

20 min read ∙ March 21, 2019