In this blog series on SecurityWeek, Tenable CSO Marcus Ranum advises security professionals on how they can create and share metrics in their jobs. These metrics can create better understanding and awareness about the success of their approaches, as well as allow them to build support for programs and funding requests.
Most of the complex fields humans engage in develop their own terminology, which then becomes a problem of translation for the expert. One of the fundamental problems for security at the “C-level” is to translate between security's inner language, which tends to be about risk, and business' inner language, which is about money and opportunity. The problem a lot of us security practitioners have is that we can't really talk sensibly about risk without trying to quantify it, because the others at the “C-level” are going to want to make a risk/reward judgment and, all too often, we're kind of waving our hands and the best we can do is point to some of the other casualties by the road-side and say “well, look what happened to them!”