In this blog series on SecurityWeek, Tenable CSO Marcus Ranum advises security professionals on how they can create and share metrics in their jobs. These metrics can create better understanding and awareness about the success of their approaches, as well as allow them to build support for programs and funding requests.
Keeping with the definition that a metric is used to tell a story, let's look at an influential metric and how it was established, as well as a few things about how it has been historically presented. I'm going to use the metric as a way of red-flagging a few “don’ts” in presenting metrics, as well: if a metric tells a story, the story may also be exaggerated deliberately or by accident. But, when it's an important metric that's being manipulated, which do you think is more likely: accident or deliberate spin?