« Count 'Em All By Hand | Main | Brooklyn Tornado »

August 09, 2007



One? :)

Did the reduction of vulnerabilities reduce risk? If not, I have a hard time seeing how the CIO in the example can express value for that effort.


huh, good points. I recall several classes in b-school about how to make the metrics mean something, be measurable, and simple all at the same time. They were boring classes, I guess I missed their importance.

OTOH, in the techie industry, making up the metrics is a time-honoured tradition. Is this limited to IT, I wonder?

I never connected the two together, but that's a good observation.

John S. Quarterman

Another thing I heard was several people calling for security people to get MBAs. From Iang's comment, it sounds like business people find this topic boring, too, and while some technical people think explaining numbers means making them up, some business people assume technical people just make up the numbers anyway.

What we have here is a failure to communicate.

And meanwhile the black hats are winning.


Being the one who said "just tell me what to count" it is clear to me that my intentions were misunderstood by you and (perhaps many) others at the conference. I don't understand why someone at a metrics conference wanting specifics about metrics (and speaking colloquially) could be seen as only caring about numbers. It has never been true. Numbers are a means to an end that is more objective and useful than the current state of affairs. Speaking as one with years of business experience, I have heard (and recommended) the "talk like the business talks" line for years and it is almost always true and meaningless at the same time when expressed as an excuse, for example, not to provide useful information to the executives themselves. And that was essentially what the panelist was saying. Did you happen to notice that we were at a metrics conference and there was not a single specific metric mentioned there that was strategic and business-like?


John S. Quarterman

Hi Pete,

If you'd been the only one who expressed such a sentiment, I'd go with your interpretation as the most useful one. However, it became clear in discussions with people after the break that there really is a disconnect between those who just want to measure and those who want information executives can use.

"Did you happen to notice that we were at a metrics conference and there was not a single specific metric mentioned there that was strategic and business-like?"

Why yes, yes I did. I think we're in agreement that that's the problem.

However, I don't see CEOs dictating a list of publications to use for PR and then spelling out exactly how to phrase the PR to get them to pick it up. In such a case, why bother having a VP of Marketing? Yet this seems to be the situation for security.

However, as I mentioned after their talk, I think at least one of the presenters was really close to strategic and business-like metrics.

More on that in a blog post.


The comments to this entry are closed.

My Photo

Risk Reading

Blog powered by Typepad