Measuring the success of a security program is something that has always been a challenge in our industry. This challenge is felt even more acutely in the small and medium-sized business (SMB) arena. There is some good news, however. Although the value and relevancy of different metrics will vary widely by organization, taking the approach of measuring success and failure against enumerated goals and priorities can help. Risk management isn't just a good exercise for strengthening an organization's security posture -- it can also help the organization measure its progress and improvement. My thoughts on this topic in The Business Journals: http://www.bizjournals.com/bizjournals/how-to/growth-strategies/2014/10/measuring-success-of-a-security-program.html.