For years now, we as security practitioners have been perceived as a road block to project timelines and overall efficiency of the business. Many security shops carried around a giant stick and typically said "no" to almost anything that came along. On top of this, we've had such a narrow focus about what we feel is important to "securing the enterprise" that we have been reporting things that have little to no meaning to the decision makers.
We must change this and begin recognizing the real value we add to the business -- that we aid the decision makers in making educated business decisions.
Security teams must make a decision in their current environment. We can stick to outdated methodologies and find ourselves sitting on the curb, or we can redefine how we exist in the business. The first place to start is measuring things that are meaningful and treat security as a business enabler rather than a business expense. "What do I as a security professional worry about?" is not relevant. "What does the business worry about?" is the question that really matters.
Senior management does not care how many spam messages the organization received last month. They don't care how many workstations are missing the latest Microsoft patches, and they certainly don't care that the organization had 23,000 "high" vulnerabilities reported from the VA scanner. They care about the goal of the business, which is usually making money.
However, you can't manage what you don't measure.
The right metrics come from asking the right questions. Questions like, what business are you in? Or are we about efficiency or efficacy?
Read the rest at Enterprise IT Planet.