Our man Gunnar starts a recent post with:
Security Metrics crying need is for metrics that serve others, outside of info sec.
Then he proceeds to talk about the need to develop appropriate metrics for constituencies outside of security – including developers, DBAs, Q/A folks, and Operations. Given his application-centric view of the world, those folks clearly need to understand security and have metrics to evaluate effectiveness, posture, etc.
I have lots of conversation with senior security folks who are similarly perplexed about how to communicate value via metrics to another reasonably important set of influencers: Senior Management.
It’s not an easy problem to solve, and there are no generic answers. I can’t just give you a list of metrics and send you on your way, because the metrics need to be meaningful to your business. Not another person’s business, but yours. And that means you need to understand your business and its critical success factors, and communicate your value through the PRISM (no pun intended…) of that view.
Photo credit: “don’t cry over spilled milk” originally uploaded by Joel Montes
Reader interactions
3 Replies to “Don’t Cry over Spilt Metrics”
Dean, if you work for a company so toxic it resembles one you describe, you ought not be concerned with metrics, but with finding a new job! What you describe is not at all normal in my experience. Most of the good CISO’s and security leaders I know are able to have conversations with their leadership, even if through a proxy such as the risk manager or general counsel. If you can’t have that conversation, move on or change careers.
This doesn’t have to be hard. It is only hard when you try to develop your metrics for an audience which you don’t otherwise communicate with.
The process is simple. If you don’t know what your business leaders care about… wait for it… ask them!!!
NO, don’t ask them what parts of security they care about. Ask them what they care about in general. What are the key processes for their business to be successful. What information do they rely on to make decisions and to inform others? What systems support their critical business areas?
Then have a talk about what could go wrong or what has to go right (some people call this a risk assessment).
You develop metrics that show them their “can’t go wrong” is beginning to go off track, I know they’ll care. Show them an increase in exposure of their critical trade secrets, I know they’ll care. Give them metrics that can inform their decisions verus metrics that show how busy you are or how well you’re doing, I know they’ll care.
Quite right. But it works both ways. How many security managers know the key performance metrics that their Senior Managers are judging business performance on? How many Senior Managers are even willing to disclose those metrics to a mere information security analyst? In a public company, those metrics are material information that is kept on a very tight leash, lest they be leaked to some trader in inside information.
There are whole categories of corporate cultures where only the CEO knows how one business unit compares to another, and the VP’s or General Managers of the respective units won’t even tell their peers the business metrics whose composition constitutes a major part of the secrets of their success. I’m no management guru, but one of those categories has been called “warring tribes” and pre-Google Motorola was supposed to have been an example. The CISO who can divine the appropriate security metrics for such a company must be a much greater master of managerial arts than of security sciences.