I heard a few people the other day speaking about metrics, and they said that measuring risk was hard --- if only it was as easy as their fitness program.
Since I'm interested in both, I needed to stop everything and jump into the conversation. The claim they made was that their fitness program was as simple as measuring the calories they took in and the calories that they burn; given some deficit, they are able to stay fit. In one case the objective was weight loss and they clearly were making progress. Good deal. Not to just be a pain in the ass, but I had to argue their claim based on: 1) their understanding of a calorie was wrong, and 2) even if wrong, it was good enough to get to the results they required at this point in their fitness program. At some point, they would hit a wall and need a more precise understanding in order to move forward, and this is an exact parallel to what happens with IT risk measurement and risk management in general.
Let me explain the calorie thing first and then return to how it connects with risk metrics. Counting calories on everything we ingest is how most people early in their fitness program go about managing their intake; counting calories from your heart rate monitor or some fancy exercise machine is how we go about measuring the intensity of a workout. When you first start out, this level of understanding is sufficient but, as you progress, you quickly discover that 500 calories of fruit and Greek yogurt is not the same as 500 calories of Twinkies. Remember, a calorie is a simple unit of measurement for heat developed in the 19th century. At the time, a method of measurement was needed to explain the theory of heat conservation around the leading technology at the time: Steam Engines. Dude, last I checked, my understanding of my biology was not that of a steam engine. Although I did enjoy a science project with my youngest where we got to set fire to all kinds of foods. My point here is that, while almost misrepresented as a parameter, it is 'good enough' to speak about calories (kCals in this case eaten and burned, and as you become more and more fit, you will need to get more precise and actually deal with the stuff your body is really using --- carbohydrates, protein and fat. Mitochondria and the billions of them that make up the engine that is your body are just slightly more complex than steam engines.
Back to risk metrics and management: for an organization that is not fit at all, the measurement of any crude parameter will yield improvements or at least the opportunity for a interdepartmental conversation that aligns objectives and goals. As you get more and more fit, you will need to get more refined in what you measure and how those measurements are socialized.
The last thing to remember is that just because you are operationally fit, it does not mean you are secure. To use an analogy, when you watch the World Cup, all the teams train hard and all the players are among the most fit individuals in the world, but that does not guarantee any of them the World Cup. Being operationally fit is 'table stakes' but winning at security is about knowing how to play the game well. More on this in another blog post.
