“We have to get a lot better about using quantitative data when we talk about cybersecurity policy,” said Jacob Olcott, the former congressional staffer who’s now a vice president at BitSight. “When we’re talking about adopting a new regulatory framework or something like that, we should try to understand current cybersecurity performance and measure it over time before jumping to a conclusion about what to adopt or not to adopt.”