“Not everything that counts can be counted, and not everything that can be counted counts.”
I’ve been thinking about Security Metrics of late, and I’ve started discussing the idea with anyone who will listen. Unfortunately, these conversations typically take one of two paths – “Yeah – that’s great – when will you have them for me” or “What is it that you are going to count?”