Metrics help to tell a story and tell that story to the right audience. When I present on this topic I use an image showing a child, a spouse, and grandparent. All three can ask the same question, “How was work?”, and all three will receive an answer with a different story. Each will receive details that are appropriate for their level of understanding and their background. The story that, we as CIOs and CISOs, need to tell is no different. We have different audience members that include: the Board, Executives, Auditors, and Engineers. As we tell each of these audiences the story of IT and information security we need to keep in mind their background and the ask.
The Board is strategic and we are asking for resources. The Board might be comfortable with that functional level aggregation or they may want a single score. When a single score is needed this is usually around a maturity level and it should be coupled with a risk rating. Combined, these can tell where you are and how tight the controls are.
Engineers need the details and we are going to ask them to fix something. With the Engineers we can show them detailed tactical metrics. NIST and CIS have a great listing of tactical metrics with parameters for different levels of risk. From there, you can tie the results to technology.
Auditors need to know we know about our environment and that we’re doing something about it. Auditors would need to need to see that we are headed in the right direction.
Executives need actionable information, usually, by subject area and we need to answer their ask, “what’s in it for me?” Executives need to see how the security program is affecting them. We need to aggregate by topics they care about. For example, the CMO might care about Integrity and Reputation, to address concerns of report accuracy and potential reputation damage.
Your metrics are not a burden to the job but should be a tool to help you tell a better story.