Count What Counts
Working at Microsoft can be hard. You have to force yourself to not get distracted by all the smart things that smart people are doing and saying. Last week I was sent a summary of an internal blog post by BillG talking about the business in general, ROI and metrics. As usual the summary was more valuable than the original as it had relevance added!
It got me thinking about security metrics.
- Figure out the metrics that count for the decisions that count
- The key issue in a gold mining business is to make money but the high variance is in how much you find. You want to put a lot of resources into the people who are good at finding gold. You do not want the metrics about the shovels and how much they cost to confuse the gold finders. ROI measures can have trouble computing return on these kinds of high risk investments
- The goal of metrics is not to have very few but rather to have metrics that actually drive the right behavior
I think think these sentiments should be heeded by some folks building security metrics programs today!
