Gunnar just hit a home run responding to John Pescatore's one line, twelve word summarization of how to measure a security program's effectiveness. Read Gunnar's post in it's entirety but here's the short version:
Pescatore says:
To which Gunnar suggests:
...and revises Pescatore's assertion to read:
To which, given today's economic climate, I argue the following simplification:
I maintain that if, as John suggests, you want to introduce the emotive index of "happiness" and relate it to a customer's overall experience when interacting with your business, then the best security program is one that isn't seen or felt at all. Achieving that Zen-like balance is, well, difficult.
It's hard enough to derive metrics that adequately define a security program's effectiveness, value, and impact on risk. Balanced scorecard or not, the last thing we need is the introduction of a satisfaction quotient that tries to quantify (on a scale from 1-10?) the "warm and fuzzies" a customer enjoys whilst having their endpoint scanned by a NAC device before attaching to your portal... ;)
I understand what John was shooting for, but it's like suggesting that there's some sort of happiness I can achieve when I go shopping for car insurance.
/Hoff