Make Security Metrics Your Chaos Indicator
- Choose metrics purposefully. Tracking unapproved configuration changes makes sense; tracking the number of antivirus installations probably doesn’t.
- CISOs should constantly chart their IT environment and keep tracked metrics close at hand, to be communicated at a moment’s notice.
“If you tell business people, ‘Hey, look at all these systems that have antivirus!’ Who cares? What does that even mean to me?”
Business is a language of measurable numbers—metrics. Any competent chief information security officer (CISO) can offer up metrics that help shape the C suite’s understanding of IT security and score resources needed to protect the environment, says consultant and industry influencer Dave Shackleford. But select them with purpose.