There are lots of metrics for measuring security readiness and response, but we think this one's hard to beat: the time between when a security incident occurs at a major company and when the CEO is forced to make a grovelling public apology.
Sorry picture from Shutterstock
Forrester Research analyst Rick Holland suggests the 'mean time before CEO apologises' idea in a recent blog post. While it's tongue-in-cheek, it does highlight one of the most important lessons in IT security: it's always better to prevent an incident than to have to deal with the aftermath. And since you can't prevent everything, it's also crucial to be able to demonstrate everything you did do — since that will help the CEO prepare their apology.