We have all heard the business adage that you cannot manage what you don’t measure. For those in Information Security or Information Technology, this can have far-reaching implications. Without concrete data to query and present, business unit leaders are left wanting. It is difficult to grasp the importance of security or its necessity if there is nothing to back it up. A sound Metrics Program can help.