Yesterday, I attacked metrics claiming that the way they are being used today, they were useless to upper management and didn’t relate the value of the InfoSec team to the business. While I stand behind that claim, also believe that a lot of metrics being performed today are very useful to technical management especially those with operation responsibilities. With that in mind, I’d like to point our readers to a newish blog, Security Retentive by Andy Steingruebl. Andy and I worked together way back when and I can’t say enough nice things about him. On Sunday, Andy talked about building effective metrics. In this case, he talked about vulnerability management though he promises to cover anti-virs software and software security in later posts. I for one will be on the lookout for the follow-ups. Andy covers a good strategy for launching and measuring a vulnerability management program. I don’t want to steal his thunder, so go read what he has to say.