We attended a CISO roundtable today and had a few takeaway thoughts on the development of security metrics.
What makes a good metric?
- A good metric motivates tangible actions and desired results
- Is easily understood by anyone, especially our peers outside of Information Security
- Enables the business
- Demonstrates the value of the security program to IT and the business
