The slides from MetriCon 2.0 are all posted now. Many good talks in there; I'll probably comment on some more of them later.
One of the most interesting aspects was to see those with business experience try to explain to those who said "Just tell me what to count!" that counting isn't enough. If you want business managers and executives and board to pay attention, you need to say what your counts mean.
Chatting with attendees, it became clear some of them interpreted that latter as a call to make up numbers to match whatever you wanted to sell to management. Far from it. The point is to abstract your numbers and to describe them in terms of what they mean to the business.
Abstraction may be part of the problem. For fans of Myers-Briggs, we seem to have quite a few ISTJs (security counters) being told they need to communicate with ENFPs (business executives). You don't even have to know Myers-Briggs to see that those types don't match at all. (Yes, I know I'm oversimplifying; any one of either of these groups might be of either of those types or another, but I think you'll agree that they'll each tend more towards the stated types.) In particular, people who work on details of security tend to have detail-oriented personalities (S). Abstraction to them can sound like fudging, and presenting with related content can sound like lying (see above).
So let me try an analogy instead. Suppose the VP of Marketing shows up at a board meeting and reports that his PR guy put out 5 press releases last month. So what?
OK, how about 5 press releases and 3 of them got picked up in a total of 500 stories worldwide. That's nice, but so what?
OK, and two new customers signed up who said they heard about the company's product through one of those stories. Now we're getting somewhere!
It would also be good to know how those customers compare in dollars they spent and number vs. others that signed up for other reasons, and how the PR budget compares to the income generated by those sales, among many other interesting questions. But this is enough to illustrate.
Now suppose the CIO shows up and says his security team fixed 5 vulnerabilities last month. So what?
How did fixing those vulnerabilities affect customers? How many more were not found, or not fixed? How does the security budget spent compare to related present or future sales or savings? Is finding and fixing vulnerabilities the best use of security money?
How many security teams or CIOs can answer questions like that? How many present to executives or boards including such meaning?