I often say that when you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot measure it, when you cannot express it in numbers, your knowledge is of a meagre and unsatisfactory kind….¹

William Thomson (Lord Kelvin)

8.1 WHY MEASURE?

Are you an executive who agrees with Lord Kelvin? Do you believe that if you cannot measure something, you can’t truly understand it?

If you do, you are not alone.

Performance measures (also commonly called metrics²) are an important part of modern business. Most executives rely on metrics to aid them as they manage their organizations. Many have learned through years of trial and error what sets of information help them better understand their business and its performance, giving them the basis needed to make decisions. “You get what you measure” has become a mantra in many companies.³

What about cybersecurity? How do you measure success? Have you invested enough? Have you invested too much? Are you getting your money’s worth? These are key questions that many executives wisely are asking today.

When it comes to cybersecurity, there is no silver bullet answer delivering a singular metric or universal set of metrics that will answer these questions in every organization, nor should there be. As Peter Drucker said, “No two executives organize information the same way.”⁴ Nonetheless, we believe that use of performance measures is an essential part of gathering ...