There's More To Security Metrics Than Raw Numbers
- Presenting a report filled with metrics to CEOs and executives doesn’t provide an understandable picture of security. They need context to understand how the metrics translate to business objectives.
- Meeting compliance requirements doesn’t mean that nothing else needs to be done. Standards cannot take into account the specificities and potential weaknesses of each business.
“There are things that CEOs always comprehend—a percentage of progress, an explanation of the risk if we don’t finish a project in time, and metrics that help them make decisions.”
Arnaud Laudwein, chief security and privacy officer for Hachette Livre, says that “There are things that CEOs (chief executive officers) always comprehend—a percentage of progress, an explanation of the risk if we don’t finish a project in time, and metrics that help them make decisions or prioritize over other business items.” They need “metrics that show the effectiveness of security programs, but they do not always need to go into details—their usual question is ‘Are we secure?’ rather than ‘How secure are we?’” Laudwein says.