Eastman Kodak's matrixed organizational structure enables its business units to act quickly in response to changing business conditions, but it also creates a decentralized security function. Security information resides in different parts of the organization, so it was hard to measure and report information security to management. With the help of his security team, CISO Bruce Jones developed a security metrics program that not only presented a holistic risk-based view of Kodak's security and risk posture but also translated the operational and tactical information in a fashion that made it easy for the business to digest and use this information.