Lord Kelvin once said; "When you cannot express it in numbers, your knowledge is of a meagre and unsatisfactory kind". The majority information security practitioners have software engineering, electrical engineering or similar background, yet as an industry, we seem to forget the importance of measurements and metrics. Without measuring the effectiveness of our processes, it is very hard - if not impossible - to look for trends, misalignment between norms and current state or simply to make informed decisions. Even current trends point to the opposite direction; for example in Critical Security Controls (CSC) version 5, we had "Effectiveness Metrics" and "Automation Metrics" sections for each control, but CSC version 6 only mentions the importance of metrics without going into any details. In this talk, we will take an overview of the current state and resources available to security metrics. We will see why security metrics are important, how they relate to risk management and if there are "good" or "bad" metrics. We will also attempt to find the most vital security metrics that can indicate the effectiveness of the overall security program of an organization. Finally, we will see a few examples of collecting, analyzing data for metrics and how we can visualize and present them to senior management. #securitysesion2018