A lot of the executive metrics presentations I see contain huge piles of numbers, with lots of acronyms and jargon.
To me, that means the people putting these metrics together are: unsure of the goals they’re supporting; don’t really understand the business relevance of the data; or they’re putting up a smokescreen.
Forcing execs to chew through too many indicators – especially ones that don’t have a direct impact on the organization’s results – is just a distraction.
If an exec can’t figure out what to do about the data they’re given, it’s useless.
And if you just show them data they can’t make sense of, guess what? They will eventually stop paying attention to you.
Fortunately, there’s an easy fix for this.
Use the “So what? Test” to cut through to the real issues. For each of the security indicators you review ask: “If this number went up by 10% or down by 10% would we do (or want to do) anything differently?”
If the answer is “no,” then that metric is probably not a meaningful indicator and you’re wasting time looking at it.
After all, effective metrics should drive meaningful action, decisions, or discussions in the organization.
- Make Your Security Metrics Matter To The Business
- Security metrics: 5 tips
- To Navigate Your Security Program, Measure Well
- Countermeasures, weather forecasts, and security metrics
P.S. Have you met John Powers, supernatural CISO?
Metrics image courtesy of ShutterStock