It’s not enough just to measure:

…most metrics that we security folks come up with are well boring are effectively useless to upper management. At best they are focused on technical management such as the CIO and CSO. Like much of the rest of our industry, we metrics folks have again failed to relate our services to the business at large.

— Attacking Metrics by arthur, Emergent Chaos, 20 June 2007

You need metrics that are comparable across companies, that subsume enough information to be interesting, and that are easy to explain to executives. Something like the Apdex performance measurements. Performance and security are more intertwined than most security people yet realize. And network performance people have been dealing with selling their measurements to management for some time now. Security folks might want to see how it’s already been done.

-jsq