Establishing Your Own Metrics: What Not to Do
In this blog series on SecurityWeek, Tenable CSO Marcus Ranum advises security professionals on how they can create and share metrics in their jobs. These metrics can create better understanding and awareness about the success of their approaches, as well as allow them to build support for programs and funding requests.
Don't just ask your boss, “what metrics should I collect?” Metrics are 'produced' not 'collected'; you collect underlying data to produce the metrics, so if you ask that question, you've just shown that you don't understand metrics. More importantly, you've just shown that you don't understand what you do. Rather than having an existential crisis, you need to spend some time figuring out what metrics are appropriate for your organization, which really means figuring out your organization's purpose or product.