A very wise man once said "Without measurable goals, how do you measure success?" It's a good point but one that many security professionals still struggle with.
We have measures of success for everything that we do. For instance, the measure of success for a meal might be that nobody contracts food poisoning, or the measure of success for a long haul flight is that there are an equal number of take-offs and landings. Back in my military days, one measure of success was the number of sandbags that could be pointlessly filled in half a day, whilst for the officers it was the number of brandy's they could pour down each others throats during an evening in the mess....Bitter? Me?
I've seen lots of information out on the web about metrics and KPI's for information security. Much of it is David Brent style management speak (e.g. spotted on one forum "Its my take that as security professionals, we need indicators that clearly demonstrate that our threat prevention investments work as expected. We should then be on the road capable of climbing the mountain of ROI" ) and the rest is well intended but doesn't actually say what to do. I'm not saying that I have the right answer but I thought it might help if I shared with a couple of the metrics that I intend to use. This might help you to get started on defining your own.
1. Progress against security project plans. I have my security program mapped outusing Microsoft Project. For instance, one milestone to attain over the course of the next few months is "Security of Third party vendors assessed." I've estimated the timeline for each of the sub-tasks involved with meeting the milestone. In the monthly report I can simply report on whether I'm on track or falling behind in my plans.
2. Security patch status. I have no intention of reporting the number of patches rolled out or the percentage of coverage. What I will do is take that information from each of our business units and use it to report up to my management that we are either good on desktop security status or not so good on desktop security status.
3. Business unit security status.This metric is based on the results of a standard, repeatable risk assessment questionnaire process that each business unit must update on a regular basis. The results make for a nice chart where senior management can easily see which of our business units have met all their security requirements and which are falling behind.
I wont bore you with the others but I think you get the message that the key performance indicators are intended to be relevant to the business. Problems and anomolies stand out and, overall, it's meaningful information that senior management can quickly digest.
Now, I'm not so arrogant to believe that I have the perfect solution but it works for my business. That's the most important thing of all. Understand what motivates and drives the business and let the metrics reflect and support the strategy.