Our man Gunnar starts a recent post with:
Security Metrics crying need is for metrics that serve others, outside of info sec.
Then he proceeds to talk about the need to develop appropriate metrics for constituencies outside of security – including developers, DBAs, Q/A folks, and Operations. Given his application-centric view of the world, those folks clearly need to understand security and have metrics to evaluate effectiveness, posture, etc.
I have lots of conversation with senior security folks who are similarly perplexed about how to communicate value via metrics to another reasonably important set of influencers: Senior Management.
It’s not an easy problem to solve, and there are no generic answers. I can’t just give you a list of metrics and send you on your way, because the metrics need to be meaningful to your business. Not another person’s business, but yours. And that means you need to understand your business and its critical success factors, and communicate your value through the PRISM (no pun intended…) of that view.
Photo credit: “don’t cry over spilled milk” originally uploaded by Joel Montes