Thursday, November 14, 2019

The Potential Downside of Cyber Metrics


You always get what you measure.That phrase or some paraphrase of it is usually meant to justify some positive change. 



For example, we were doing such-and-such activity before with poor results and then we started measuring and got better results.

This is a common statement and standard narrative in any cyber security program.

When the stakes are high, we want to be sure to turn the box green, finish within the right time boundary, or get results above the right percentage.

But any metrics that involve humans also drive behavior.

And so, not surprisingly, poorly conceived metrics can drive wrong behavior.

Incomplete definitions of “done”.

Process shortcuts.

Inconsistent measurements of outcomes.

Whatever it takes to keep the metric in the “green”,
and the metric announced at the quarterly team meeting,
and the positive bullet point in the annual review.

Because, when the stakes are high, you always get what you measure.

One way or the other.

Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.

PLEASE VISIT OUR NEW BLOG

SEE ALSO




No comments:

Post a Comment