ABSTRACT
When the top management has validated your new security program, it means that they expect results and they usually expect them quickly. Security has yet to equal the communications mastery of their HSE counterparts boasting their 2 million man hours without incidents, and providing security results requires a good balance between providing metrics that mean something and keeping the confidence of the hierarchy.
In this chapter, I will start with explaining how changes brought to security should be managed to demonstrate the added value and I will also suggest what should be measured and why. I developed a strong interest in metrics a few years back and I think this chapter will provide interesting suggestions. I will explain how to choose key result areas, and how to build meaningful key performance indicators, something quite simple but which, I find, are often misunderstood and poorly implemented.
