I recently wrote about the importance of measuring performance to get funding, resources and support for security initiatives. Executives, who ultimately decide how company resources are rationed out to various departments, are particularly focused on key metrics. It's these metrics that differentiate projects and convince executives to spend money and time and increase head count.
So, I've been working on refining the things I'm measuring, to produce the most compelling story. I'm trying to use metrics to explain what we're doing well (how much value the company is getting from what they've already invested), what we need to improve (how to spend future dollars) and what our risks are (keeping our focus on using our resources in the right places).
I've also mentioned that metrics can be a double-edged sword. If they show weaknesses in a security programme, it's important to show substantial progress in those areas at a pace that will convince the company's leadership that appropriate steps are being taken. I had a lot of red on my first set of dashboards, so I've been putting a lot of effort into improving those numbers. Now, they are mostly green with a few yellows. I've been keeping the executives up to date on this progress, and the feedback I'm getting is positive. A trend toward improvement is always important for demonstrating value.
I feel as if I'm playing with fire by highlighting our problems, so I'm balancing that by demonstrating accomplishments. There are many areas of my security program that have good stories to tell, so I'm taking advantage of the metric reporting process to get those messages out.