According to John Pescatore of Gartner "The best security program is at the business with the happiest customers." Surely, that puts Whiskers Supermeat at the top with their claim that 8 out of 10 cats prefer it. Personally, if we're going to have soundbites then I prefer the words of my previous boss: "superior products require superior security." And he should know having presided over one of the largest data breaches in American corporate history to date.
It's important to measure the effectiveness of a security program but don't spend all your time working on metrics. The danger is that you'll focus so much on getting the right facts and figures to present that you'll forget you've also got a practical job to do. I reckon about 15% of my time is spent on preparing reports. Too much/too little? It's probably about right because I worked closely with the end users of the reports to ensure that they are getting the information that they need. Really it comes down to two things: how well security is being managed and how secure we are in my opinion. Sometimes you can forget pie charts and dashboards: company leadership needs the balanced and professional judgement of the person they've hired to lead on security. Just say it like you see it and state in words of plain English what needs to be done.
