GQM helps security teams avoid two common traps. In the first trap, strategy execution rarely gets measured. Without metrics, "No more network vulnerabilities" is more prayer than strategy. In the second trap, measurement doesn't support strategy. In security it's often easier to log events than to analyze them. But collecting data for no purpose is inefficient at best. At worst, it increases risk, especially when those data hoards may be legally discoverable.
Logic Modeling comes from monitoring and evaluation, a process discipline used by governments and large NGOs. If you're attempting something like improving public access to education, or reducing a water borne pathogen, you'll submit a logic model to the sponsor organization before getting support.
In essence, logic modeling is visual hypothesizing. You may believe a certain intervention (e.g. making more knowledge publicly available, or supplying at risk communities with water filters) will have a positive effect. That's your hypothesis: you do something and expect to get something. A logic model maps do's and get's by dividing them into formal inputs, outputs, and short and long term impacts. Consider the Wikimedia Foundation's program logic model.
Logic models can add value for security teams because security is an inherently interventionist process. Most initiatives pushed by a CISO are designed to effect a change. They rely on a hypothesis: "if we do X, we get Y..." That hypothesis can be tested empirically and the logic model defines that test. If the inputs don't produce the expected outputs and impacts, the intervention fails, either because the execution was flawed or the original hypothesis was.
Business Model Canvas (BMC)
BMC is another visual method for business alignment. Developed by Alexandar Osterwalder and available under a Creative Commons license, BMC puts the entire business model on one page. By exploring partners, resources, customers, costs, and revenues, BMC forces users to think about initiatives in business terms.
Completing a canvas, individually or through a facilitated workshop, encourages security teams to think about what they do like a product or service they are building and selling to customers both inside and outside the enterprise. This customer-centric brainstorming reveals insights about where security succeeds, struggles, or fails in the organization. Discussing security in terms of value propositions, customers, and channels help prepare members for talking to business stakeholders. Even unfamiliar concepts, like revenue, often have security parallels (chargebacks, budget increases, or money saved on incident response).
Sign up for Computerworld eNewsletters.