A key task in this research was to develop guidelines for effectively using security metrics to persuade senior management.
As this project's literature review notes:
Corporate management tends to view security as overhead (i.e., a cost center rather than a production center) and security metrics as merely measuring activity, not value. Security professionals note that security benefits are difficult to measure compared to the benefits of profit centers, and such professionals often lack the skills or time to create and administer effective metrics. Thus, current security metrics, in practice, are generally not compelling and are often not taken seriously (Rothke, 2009).
This project's online survey found that 80 percent of respondents who use metrics share their metrics outside the security department. Of those who share, 79 percent share with senior management. That means about 56 percent of survey respondents who use metrics share those metrics with senior management.
What would make those presentations more compelling? This section presents advice gathered from a variety of sources: the literature review, the online survey, the follow-up telephone interviews, the advisory board, and the expert panel. Several key recommendations emerge from those sources:
Align with Organizational Objectives and Risks
Present Metrics that Meet Measurement Standards
Tell a Story
Use Graphics, and Keep Presentations Short
Present Metric Data Regularly
Next: Security Metrics Evaluation Tool