I grew up in a Greek family where I quickly learned that communicating, true communicating, didn't mean speaking at someone. It means speaking with them. It means that there's about half as much talking (okay, in my family it meant shouting to be heard) as there is listening.

Once you have arrived at this step, you already have your materials and your audiences, you have assessed their current levels of awareness, and you are ready to educate them on why they need metrics and which metrics they need. You are (hopefully) excited about this whole thing. And then you meet the "ain't no way no how" folks.

What you've just done is institute the idea of change. And nobody likes change (no matter what we say). When communicating your message, you are going to have to overcome objections. Simple as that.

One of our field editors tackled objections by "leveraging the IT Governance Institute's Board Briefing on IT Governance and literally provided each director a hard copy of the ITGI's Information Security Survival Kit for Board of Directors/Trustees and emphasized that the questions on this checklist were all things for which they would be expected to have answers. In other words, I made them understand that responsibility rested squarely with them and, in combination with some recent corporate top level lynchings, got it through to them that "I don't know" was no longer acceptable."

One of the first objections you are going to face is the "we don't have the time to do this" objection.

If you are getting this complaint, it is because the "tone at the top" of the organization has not set either the gathering or reporting of metrics as a priority. And, maybe for those in charge, metrics (or at least the full suite) aren't that important. But then again, maybe those folks at the top aren't familiar with some of the regulatory guidelines they have to follow, the contracts they have signed, or the Service Level Agreements they have chosen to uphold. The best way to fend off this complaint is to check and see if your organization will be sued by your clients, or if your leaders might be led away in handcuffs and have to trade their three piece suits for one piece, bright orange overalls. That usually does the trick.