The steps are simple, once you admit you need metrics. But first, if you don't know what a metric is, then read the introduction to metrics section of this guide.

If you already get that part and want to move into the work breakdown for implementing metrics, then this is the section for you. Richard Lee, one of our distinguished field editors, suggested that we take the rest of this guide and present it to you in a detailed, step-by-step Work Breakdown Structure (WBS). Below is a miniscule, impossible to read version of the WBS for implementing metrics management. What you should be able to glean from this is that there are around 50 odd steps you'll need to eventually take in order to fully implement your metrics management program.

Work Breakdown Structure for implementing metrics management

The good news is that there are only six high level steps that need to be followed when implementing metrics management, and those steps are listed below.

1. Figure out who needs metrics in your organization. If you don't know who needs metrics in your organization, then read pay special attention to step 1.2, Finding your targets. Use your organization's awareness process for new compliance controls to communicate to this audience that you have a fairly well developed set of metrics to choose from, and that they will need to give you the list of metrics to implement.

Have these people pick the metrics they want to implement from the list we provide. There's over a hundred there, found in three groupings of

• • Governance metrics

  • Management metrics

  • Technical metrics

If your team can't find the metrics they want to use, refer to the Supporting Organizations section for information on working with SecurityMetrics.org, the Center for Internet Security, or The Metrics Catalog to create a set of metrics you do want to use.

2. After you have selected the metrics you want to use (or even as a part of that process), you are going to need to assign the responsibility for gathering, interpreting, and reporting those metrics. This is best done as a part of defining your work functions rather than assigning metrics responsibilities to various people's titles.

3. Once you've picked the metrics you want to use, and assigned responsibility for them, you will need to create a policy that addresses inculcating the gathering of measurement into your policies and procedures, as well as how you are going to store the information being gathered, and then how (and when) you are going to turn that data into the metrics being reported. You are then going to need to modify the metric reporting standards that we've started you with in the implementation toolkit.

4. The policies and procedures you have in place will dictate the skills and training that you have to have, as well as the next step, which is tools and automation.

5. Once you have your base metrics in place, you'll want to think about automating the gathering of these metrics. This means that you might want to turn to a few applications, like those from ClearPoint Metrics, Skybox Security, or others.

6. Last but not least, you'll want to gather some metrics about your metrics. Don't laugh, I'm being serious here. You'll want to report on which metrics you've chosen to implement, and which you are going to implement next, and which you'll probably never get to.