Many people have asked about what they should measure or track. A great place to start is measure what matters. This may sound cliché but is really holds true.
Measuring what matters means measuring the items that pertain to your organization, group, or department. If the measure you have doesn't change any practice in your group then it doesn't matter. These are your tactical measures.
Measuring what matters also means measuring things that you can change. For example, measuring total spam messages. While this is a nice explanatory metric it isn't a reportable metric. It is a metric that you can't control. However, these types of explanatory metrics should only be reported when used as a denominator to show a rate. Another example, # of spam messages that got through / total # of spam messages. But now this is a different metric which tells a different story and you can control it because you can tune your spam filter.
Measuring what matters means aggregating items so they mean something to the business. Telling executives or the Board about AV incidences, accounts in AD, or average ETL run times doesn't mean anything until they are aggregated and tied to something the business cares about. These tend to include:
Is the data safe? - Confidentiality
Are we managing the people effectively that manage the data? - Human Resources