Historically, many organizations have focused on absolute security metrics. Absolute security metrics are metrics that are not tied to any specific risk or threat that the organization seeks to mitigate. The trouble with absolute metrics is that they don't provide us with much actual insight into the success and progress of our security program. So what can an organization do to better measure itself? I cover that topic in today's SecurityWeek piece entitled "Using Relative Metrics to Measure Security Program Success": http://www.securityweek.com/using-relative-metrics-measure-security-program-success.