I have a strong believe that everyone needs security metrics. Imagine a case when all information security activities are outsourced. Will you define SLA and implement some metrics to ensure that contractor provides efficient service? Certainly! But what is the big difference when there is no outsourcing?
Here are other reasons for information security metrics implementation:
You can not improve what you do not measure.
In many cases just the fact of measurements (and making them visible) leads to improvement.
You usually have limited resources, so they should be used efficiently. Metrics could be used to ensure this efficiency.
Metrics can help justification of information security budget.
Lastly - this is a classic tool of time management, when you firstly define your targets, KPIs etc. and then align your activity with them.
And here starts the difficult part - which metrics to implement. Share your experience!
REPLY-TO-ALL is a double language blog (English/Russian) run by three information security practitioners. Want to discuss information security problems? This is the place.
