Security Metrics Are About Illustrating Criticality vs Risk
- Metrics are useful for gathering information about vulnerabilities, but until those metrics are distilled into something the CEO understands, they’re nothing more than numbers.
- Stay away from large, raw metrics. Instead, present security and vulnerabilities as a scale of criticality versus risk.
“You can select at most five metrics that are both qualitative and quantitative, and each [executive team] individual will pick up something he or she understands.”
“Your chief executive officer (CEO) isn’t interested in how many vulnerabilities you have,” says Genady Vishnevetsky, chief information security officer of Stewart Title Guaranty Company. That’s not to say that the number of vulnerabilities isn’t important, just that when you’re communicating the strength of corporate security program to your CEO and other members of the C suite, metrics like the number of vulnerabilities won’t provide useful information.