You always get what you measure.That phrase or some paraphrase of it is usually meant to
justify some positive change.
For example, we were doing such-and-such activity before with poor
results and then we started measuring and got better results.
This is a common statement and standard narrative in any
cyber security program.
When the stakes are high, we want to be sure to turn the
box green, finish within the right time boundary, or get results above the right percentage.
But any metrics that involve humans also drive behavior.
And so, not surprisingly, poorly conceived metrics can drive
wrong behavior.
Incomplete definitions of “done”.
Process shortcuts.
Inconsistent measurements of outcomes.
Whatever it takes to keep the metric in the “green”,
and the metric announced at the quarterly team meeting,
and the positive bullet point in the annual review.
Because, when the stakes are high, you always get what you measure.
One way or the other.
One way or the other.
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
PLEASE VISIT OUR NEW BLOG
PLEASE VISIT OUR NEW BLOG
SEE ALSO
No comments:
Post a Comment