This week I attended the Gartner Security & Risk Management Summit in Washington, D.C. I attended a lot of very good sessions, but the one that left the biggest mark on me was a session called "Metrics That Matter," delivered by Jeffrey Wheatman.
I went to this session because I've had a lot of conversations with information security executives this year, and a common question is "What should I really be measuring?," or they make comments like "I report on a lot of things, but I am not sure what the top indicators are that I should roll up to my executive team."
My initial reason for attending this session was for my "day job" as the CTO of a tech company, but I feel like I can "generify" Wheatman's guidelines to apply to anything that needs to be measured & tracked.
- Effective metrics must support the business's goals, and the connection to those goals should be clear.
- Effective metrics must be controllable. (In other words, don't report on things that "just happen" - report on things you can drive up or down with your own, direct actions).
- Effective metrics must be quantitative, not qualitative. If you need to measure something "softer" like customer satisfaction, find a way to make it quantitative, such as with a method like Net Promoter Score.
- Effective metrics must be easy to collect and analyze. (Wheatman says "If it takes 3 weeks to gather data that you report on monthly, you should find an easier metric to track.")
- Effective metrics are subject to trending. (Tracking progress and setting targets is vital to get people to pay attention)
This set of guidelines really resonated with me, and I am going to run my metrics through this regimen to make my own metrics better. If you're a Gartner client, there is a detailed research report from Wheatman on this topic, and I suggest you grab a copy.
I've also learned that it helps to simplify how you report on metrics. When dealing with executives, stick with small numbers and primary colors - and when you get senior enough, try to boil it down to up/down, happy/sad.
What about you - do you have any best practices to share around metrics? Could you apply these to your own individual metrics or self-improvement goals?