Measuring security is a problem â€“ and not something new. When I look at what we did at Swisscom, we are severely challenged in this area. A lot of companies measure things like incidents etc., metrics which are a complete failure in my opinion. Let’s look at the incident metric for a second. You could have had sheer luck. Or you could have in- or decreased the number of people in your Security Operations Center or in your CSIRT. If you decrease, you will see less and you will get better in your incident metric, cool?
There are some good metrics, which help the CSO to take decisions but there are a lot which are just a waste of time and even less are relevant for a CEO. Ask yourself for each metric, which decision you cannot take if you do not have this figure. If you have a hard time figuring this out, the metric can just be deleted. Reading this Exec Confidence in Security Posture and Metrics Sorely Lacking just confirms my view from an Exec standpoint.
However, unfortunately I do not have a solution to this problem. I read quite some books about it but did not find something really satisfying.
Do you have anything? How do you solve this?