I am blogging everyday (or nearly everyday) on The Daily Drucker: 366 Days of Insight and Motivation for Getting the Right Things Done.

The action point is to identify the most important nonbusiness institution in my associated with. Does it use a specific yardstick to assess performance. How successful is the organization? I believe an organizations security falls into this category. It’s a red line for most companies which means it sucks up money rather than make it. How do you show value in that?

Within my sphere I use effort points for the work we do. This is effort needed to complete a task as part of our workflow. It’s a team stat and not an individual stat, because people will start sandbagging the numbers to get above anyone they’re compare to. Making it a team stat means everyone is included as a team. I should be watching and correcting for behaviors that affect that number.

For security in general how we are measured is a tough question. If we’re doing our jobs correctly the organization is avoiding the lose of productivity and finances that come with a breach. We have been complimented on the speed with which we respond to security incidents. The security team I’m on we all do very different functions to help keep the company safe. That makes it harder to compare. Individually we have a rating system that most companies use for things like annual reviews. Those are subjective though and again lead to manipulation by people who assign a rating.

Not a great answer. Something I think we’re trying to solve for though.