Book Review - "Security Metrics"

I'm just about done with Andrew Jaquith's book, "Security Metrics: Replacing Fear, Uncertainty, and Doubt". Measuring the success of an infosec program is a challenge in any organization. Specific tools (AV, etc) might come with their own metrics packages, but often times don't get to the heart of a measurement that management can identify with. Jacquith does a really nice job of divide-and-conquer in this book. For each area of a security program, he asks 'What problem are we really trying to solve?" and then proceeds to drill down to the data that actually measures progress against that problem. There are myriad examples of specific things to measure and even some suggestions for how to get at the data points. The last couple chapters get away from specific areas of measurement and focus on statistical analysis and presentation. If you're struggling to demonstrate to management (or yourself) that your security program is making progress, then this book should be on your desk.