Metrics are the intended output of the ESPM. They are as the platform of the bridge. The metrics drive the connection from executives to operations as they contribute to the continued success of business operations. Every inch of a bridge is engineered; as should an information security management program. The security profile score provides an overall view of the organization based upon the evaluation of each environment. "Too often, reports are made up of the easy-to-collect metrics or show a single metric instead of telling a story and providing useful information that drives action or shows business value" (Bruno, 2016). The ESPM metrics tell the cyber security risk story and are broken down into greater detail as it is presented to each level of management.
Identifying risk at the operational level enables management to allocate resources within the budget to increase the performance and facilitate improvement in the security profile scores. |