One of the many difficult tasks in security leadership is showing senior management and other business leaders exactly how, where, and how much security investments positively impact the bottom line (assuming, that is, that security’s impact is positive).
Data for metrics should be readily available in a well-managed security function, but is it always persuasive? The impacts of security-related events and decisions are often complex, making causality difficult to define. That is, the security leader may see that a sales increase corresponds with a certain risk mitigation decision, but it may be hard to show how that decision – and not the recent marketing campaign, or the upcoming holiday weekend, or the drop in oil prices – definitively caused the increase.