Forrester receives a significant number of inquiries from clients requesting Forrester guidance on Information Security Metrics. Chief Information Security Officers (CISOs) need new types of metrics to address economic, legal, regulatory, human resource, communication as well as traditional IT information security concerns. Security metrics must evolve to show the information security effort provides quality, efficiency, and a correlation to cost reduction and profit improvement. CISO’s need new methods for demonstrating the value they and their programs create. Over the course of the next several months I will be working with our clients to provide additional guidance and insight into this important topic. Look for additional research from Forrester in a new information security metrics research paper series. As these papers develop I will comment on their development as well as important issues that surface as a result.