Using security enquiries by customers as a security metric
On CISSPforum, Walt Williams suggested a novel security metric:
"If your organization has customers that ask you to complete questionnaires before engagement, track those against logos added or better revenue brought in. You’re now tracking your return on investment and a key risk of if your security is not good enough, those are the businesses you loose.Do the same with each customer that asks for your ISO certification or SOC 2 report.You have an excellent metric that allows you to track that return on investment and shows security as a revenue generating part of the organization.My organization’s last quarter internal company meeting had the Senior Revenue officer publicly acknowledge and thank InfoSec for our role in landing their biggest customer.It doesn’t get much better than that."
So, inspired by Walt's intriguing idea, I prepared a conventional metric specification using a combination of the Goal-Question-Metric approach (as ably described by Lance Hayden - a method as useful in information security as in other fields) followed by a PRAGMATIC evaluation (as ineptly described by yours truly plus Krag Brotby - a subjective assessment of the value of the metric in the presumed context of a mid-to-large commercial organisation):
The 74% PRAGMATIC rating is pretty strong, suggesting that this metric - or some variant of it - would be worth considering and perhaps trialling as part of a suite of security metrics. It looks quite promising.
Feel free to challenge or question the ratings and suggest improvements to the metric, for instance is there a better, more objective and reliable way to determine the value of sales that can be attributed to information security? Could useful information be determined more simply or at lower cost? Is there a better way of answering the rhetorical questions relating to business goals in this area?