Security Metrics crying need is for metrics that serve others, outside of infosec.
In Infosec, we think of the biggest influencers as the people who give talks at conferences, I disagree. Here is my list of the top five influencers on your security, these are the people who will impact security, positively and/or negatively
- The Person Coding Your App
- Your DBA
- Your Testers
- Your Ops team
With the possible exception of #5, none of them work in security. This is alarming because, the security industry markets almost exclusively to security teams. Yet with very few exceptions every security decision is made outside of the Information Security team. Decisions that shape our security are made by developers, admins, architects, "the business", DBAs, customers, users, and on and on. Infosec is one very small department, yet our metrics, "breach reports" and the like are tailored to this tiny rounding error of a department (and, of course, the people who fund them).
A good way to get better, more useful security metrics is to focus on the crying need of security metrics that help other parts of the organization. FInd ways to get useful information into other team's hands, help them make and run better software.