For Security & Risk Professionals

Develop Effective Security Metrics

    Why Read This Report

    Establishing meaningful security metrics is a key initiative for chief information security officers (CISOs) today, and for nearly all of them, it's a struggle. Some CISOs use a broad brush approach, using operational metrics to demonstrate security. The problem with this approach is that most people don't understand what the metrics are saying, and they don't understand how these metrics help them make better decisions. Good metrics are easy-to-understand, incite actions, and change behavior by providing a clear idea of why the audience cares. When CISOs present metrics, they must be able to clarify "What it means" and have answers when stakeholders ask, "What's in it for me?" This paper provides guidelines to develop a well-formed security metrics strategy that drives behavior change and improves performance. This report was originally published on January 17, 2012; Forrester reviews and updates it periodically for continued relevance and accuracy.
    US $499
    Add To Cart
    Become A Client

    Get objective, pragmatic guidance that helps you make tough decisions and succeed in a complex world. Contact us to learn more.

    Already A Client?
    Log in to read this document.


    • CISOS Continue To Struggle To Find The Right Metrics
    • CISOs Need A Security Metrics Strategy
    • Best Demonstrated Practices In Security Metrics
    • Best Practice No. 1: Be Very Selective In Picking The Metrics
    • Best Practice No. 2: Think Beyond The Security Organization
    • Best Practice No. 3: Focus On Reporting And Presentation

      Lay a Best Practices Foundation, Then Move Onto These Next Practices
    • Related Research Documents