When designed appropriately and measured objectively, metrics are an indispensable part of a mature security program. Solid metrics can help an organization measure and track risk and performance as well as make educated adjustments and decisions as required. While most security professionals recognize and understand this, in practice, only a few organizations actually realize significant benefits from security metrics. There are many approaches to building an effective security metrics program. In this piece, I’d like to share some thoughts on a framework that has worked well for me.