Measuring security is sort of like measuring happiness. How do you compare your happiness with someone else\u2019s? Are you happy? Are you happier today than you were yesterday? Will the things that make you happy today make you happy tomorrow?\u00a0 More importantly, will you discover that you thought you were happy, but it was only because of ignorance?\u00a0Measuring security is one of the most difficult tasks a security leader faces. How do you measure something that has no quantifiable definition? There just isn\u2019t an accepted metric by which to measure or compare, yet this is exactly what most board members want to know.I always chuckle when I review a new contract for our company that has verbiage that says we must maintain \u201cadequate security\u201d. Do you know what \u201cadequate security\u201d means? I do. It means you haven\u2019t been breached yet. By definition, once you are breached, your security wasn\u2019t adequate. Agreeing legally to maintain \u201cadequate security\u201d is tantamount to legally agreeing to never be breached.This is a real challenge for the security professional because we have all been taught that you can only manage what you can measure. Well\u2026if that is true, how do we measure security?For most of us, lacking any way to measure security directly, we resort to indirect measurement by measuring the attributes of a system that we believe to be secure.\u00a0 Unfortunately, most of us are measuring the wrong things.[ ALSO ON CSO: Measuring the effectiveness of your security awareness program ]Most larger companies, or those in specific industries, perform audits that measure a predefined set of controls that are believed to be indicative of a secure system, and most of those controls are defined by any number of security frameworks (NIST, COBIT, ISO, etc.), but audits only tell us if we comply with reporting or control requirements.One company, Secure Digital Solutions, an information security firm headquartered in Minneapolis, recognized this conundrum and built a tool that doesn\u2019t actually measure security, but it measures controls in a way that reveals patterns and process issues.\u00a0 More importantly it provides advice on what to do to be more secure.\u00a0\u201cControls are for auditors. Processes are for managers,\u201d says Chad Boeckmann, founder and CEO of Secure Digital Solutions.I think he\u2019s on to something.\u00a0Security isn\u2019t a machine problem. It is a human problem. In the long run we can\u2019t be more secure by just throwing more controls or bigger firewalls at the problem. We need to manage the people and the process of security. Those of you that follow my blog know that I\u2019m a firm believer in the people part of every problem and every solution.\u00a0Boeckmann goes on to comment: \u201cThere are three aspects that a good security leader needs to consider beyond risk:\u00a0The team\u2019s capacity to get things accomplished\u00a0The effectiveness of the team to accomplish the goals\u00a0How to best represent the business value the security program is deliveringFrom the demo I saw, I\u2019d say their TrustMAPP platform gives the security leader insight into all three. I\u2019m always impressed when I see business people focusing on people and not just tools. Don\u2019t get me wrong, tools are needed, but they should enhance how we deal with processes run by people and not simply used as a final solution to a control objective.In the end, the security leader will be asked by others not only to measure the immeasurable, but to quantify and attest to the company\u2019s state of security. Since it is pretty much impossible to do that with a purely technological approach to solving security challenges, and since security is a constant process, the security leader should focus on the process of continuously adapting and improving security and communicate the changes those processes have made.\u00a0 \u00a0\u00a0The National Association of Corporate Directors published a survey in October 2015 indicating 31 percent of company directors are dissatisfied with the quality of information from management regarding cyber security. It is no longer adequate for a security leader report on the number of incidents they responded to or the success of the latest awareness campaign or phishing exercises. Security leaders must begin to speak the language of the business and show forecast improvements, investments required, and track improvement based on consistent key process indicators. This is the same rigor applied to other areas of the business and information security or cyber security must transcend.