Why Read This
Establishing meaningful security metrics is a key initiative for chief information security officers (CISOs) today, and for nearly all of them, it's a struggle. Some CISOs use a broad brush approach, using operational metrics to demonstrate security. The problem with this approach is that most people don't understand what the metrics are saying, and they don't understand how these metrics help them make better decisions. Good metrics are easy-to-understand, incite actions, and change behavior by providing a clear idea of why the audience cares. When CISOs present metrics, they must be able to clarify "What it means" and have answers when stakeholders ask, "What's in it for me?" This paper provides guidelines to develop a well-formed security metrics strategy that drives behavior change and improves performance. This report was originally published on January 17, 2012; Forrester reviews and updates it periodically for continued relevance and accuracy.