I received a lot of comments and new ideas after my recent post on the 5 Characteristics of Effective Security Metrics. For example, I just had a discussion on another forum regarding what you do with security metrics after you report on them.
In the interest of keeping the discussion going, I thought I’d relate some of that discussion here. The premise is this:
“It is possible to focus on a single metric and drive it up or down, but wreak havoc on the organization through unintended side effects. Some organizations have to deal with some people “gaming the metrics”, which again can lead to unintended side effects. Other organizations use metrics as a way to begin a conversation: “I notice that the x ratio went up last week – what’s behind that?”
That’s a great point. I am a firm believer that metrics, like statistics, don’t tell the whole story. Effective metrics should drive behaviors, decisions, and help focus the quest for a deeper understanding of what’s going on behind the metrics.
Essentially, if you can create metrics that allow you to glance at a trend line and know whether things are OK and drive some smart questions when things don’t look right, you’re in pretty good shape.
I have a friend who can look at a balance sheet and tell you where the problems are with a business in about 5 seconds. I don’t have that level of financial acumen, so I’d need to see a list that tells me something like:
- “Here are your top 5 indicators;
- this is why they are important;
- this is what ‘good’ looks like;
- this is what ‘bad’ looks like; and
- here are the relationships between those 5 indicators and what we’re doing in practice.”
If I know these things, I can be effective in using the metrics to respond appropriately and make better decisions. That’s what we’re trying to get achieve with security metrics.
Keep the conversation going – I’d love to hear from you. Next week I’ll talk a bit about how metrics can influence cultural dynamics.