Persuading Senior Management with Effective, Evaluated Security Metrics, published by ASIS International Foundation in July 2014, provides a detailed framework for creating and using security metrics to influence senior management decisions. With 381 pages of structured content, the book explores how to design, evaluate, and communicate security metrics in a way that resonates with executive leadership, ensuring security initiatives gain the necessary support and funding.
I read this book in February 2020 after acquiring it in early 2019, primarily to establish a robust security metrics mechanism for my company. The book offered valuable insights into setting up and managing security metrics that align with business goals. It effectively breaks down how to define meaningful metrics, present data-driven arguments, and build executive buy-in for security initiatives. The authors emphasize the importance of tying security performance indicators to business outcomes, a perspective that is critical for gaining senior management support.
One of the key strengths of the book is its comprehensive approach to metric design and evaluation. The authors outline clear methodologies for selecting and refining metrics, ensuring they remain relevant and actionable. The book also addresses the challenges of data collection and interpretation, providing strategies for avoiding common pitfalls like data overload or misinterpretation.
However, a notable gap in the book is its limited coverage of organizational maturity assessment concerning security metrics. While the book excels at explaining how to create and use metrics, it does not discuss how to evaluate an organization’s maturity level and align metrics accordingly. This omission is significant because certain metrics depend on the organization’s existing processes, technologies, and culture. Implementing advanced metrics in an immature environment can be counterproductive or even misleading.
To address this limitation, I had to supplement the book with additional resources focused on organizational maturity models and security capability frameworks. These supplemental readings helped bridge the gap by providing step-by-step guides on progressing from basic to advanced metrics gathering. The combined knowledge allowed me to create a metrics program tailored to my company’s maturity level, enabling a more effective and sustainable approach to security measurement.
Overall, Persuading Senior Management with Effective, Evaluated Security Metrics is an essential resource for security professionals seeking to influence executive decision-making through metrics. Despite its limited coverage of maturity assessment, its thorough exploration of metric development, evaluation, and presentation makes it a valuable tool for practitioners aiming to build a compelling security narrative backed by quantitative data. For best results, readers may want to pair this book with additional resources on organizational maturity and strategic program development.
