Choose Security Metrics That Tell a Story
- Stay away from tactile metrics that don’t help executives understand the value of the security program.
- Use metrics to build a cohesive story that illustrates the probability of security issues, the potential damage that can be done, and steps necessary to reduce those risks.
“Look at data around probabilities of compromise and specifically at where issues occurred in the past.”
Adam Ely had spent most of his career as a chief information security officer. Then, he started a security company and found himself in the position of being the person to whom he used to report. The change has given him a new perspective on which security metrics are really useful to the C suite. “Generally, chief executive officers, chief operations officers, and other business line executives are inundated with data from all the departments that report to them. Giving them the wrong metrics is usually just noise that they’re not going to be able to comprehend and understand quickly.”