We've just republished the next in the series of management-level security awareness papers on metrics. The latest one lays out a range of metrics for information security and risk management.
Leaving aside the conventional metrics that are typically used to manage any corporate function, the paper describes those that are peculiar to the management of information risk and information security, with an emphasis on business-focused metrics.
I spent last week teaching a CISM course for ALC in Sydney. The business and risk focus is a unifying thread throughout CISM, from the governance and strategy angle through risk and security management to incident management.
In contrast to courses covering the more technical/IT aspects of information security intended for mid- to low-level information security professionals with operational responsibilities, CISM is intended for Information Security Managers and Chief Information Security Officers with governance, strategic and management responsibilities. It promotes the value of elaborating on business objectives that are relevant to information risk and security management, and using those to drive the development and delivery of a coherent business-aligned risk-driven information security strategy. Metrics are of course integral to the CISM approach, particularly governance and management metrics similar to those in the awareness paper.