The Best Security Metrics Are Actionable
- Activity metrics are useful only to prove that you’re doing something, but they don’t show how effective that activity is.
- Everything that gets presented to the board has to have a clear link back to business value and business strategy.
“If a metric changes and you wouldn’t change your activities as a result, it’s a bad metric.”
In many ways, corporate data security is fundamentally a resource allocation issue. “There’s never enough time, there’s never enough money, and there’s never enough people, so allocating the right dollars to protecting the most sensitive types of data is the central challenge,” says Aaron Weller. To win the necessary resources, you need to align essential security goals to strategic business objectives; then, you must achieve these goals in a way that meets expectations.