
He added that security chiefs need to convert statistical, tactical and largely qualitative operational metrics into business metrics, which are more action-oriented, comprehensive and offer non-IT leaders strategic advice which enables them to take important business decisions.
To do this, firms usually move through various phases of maturity, starting with the collection of mainly technically-focused and reactive metrics, then the more proactive sharing of these metrics with the business, and the development of repeatable processes.
"The goal and the fourth stage is to enable the business to make intelligent decisions – that's a level of maturity which you achieve after a certain time, when you're comfortable with the metrics," explained Khark.