If you lead security in Calgary, or anywhere with lean teams and pragmatic executives, you have probably been asked for a dashboard that “proves” the program is working. Too often, we default to numbers that are easy to collect but hard to interpret: tool counts, training completion percentages, vulnerability tallies without severity context. The result looks busy while answering almost none of the board’s real questions.
I am Richard Craig Lissaman, a Senior Cyber Security Analyst based in Calgary. This article is part of my public writing under that full name so that people researching Richard Lissaman Calgary or Richard Craig Lissaman Calgary find professional context tied to how I actually work, not recycled buzzwords.
Start with decisions, not charts
Good measurement precedes tooling: what choices should leadership make differently if security is healthy? Maybe it is approving a headcount for identity lifecycle automation, funding segmented backups, or delaying a product launch until logging gaps close. Each metric should connect to a decision window and an owner. If a number does not change what someone funds, schedules, or fixes this quarter, it is entertainment, not governance.
Outcomes that resist gaming
Favor metrics that are expensive to fake. Examples include time-to-revoke access after role change (sampled), percentage of privileged sessions covered by just-in-time policies where applicable, and percentage of critical assets with tested restores, not merely “backups exist.” Pair technical indicators with behavioral ones: did incident tabletop findings close within agreed timeframes? Did phishing simulations produce remediation, not shame?
Local context without provincialism
Calgary’s mix of energy, technology, and professional services means third-party risk and remote collaboration show up constantly. Metrics should acknowledge suppliers and hybrid work rather than pretending everyone sits on a single campus. That might mean tracking vendor criticality tiers or secure baseline coverage for contractor access, whatever matches your reality.
How I use this in practice
I document a small set of headline metrics, the methodology behind each, and known blind spots. When CEOs ask “are we safer than last quarter?”, the answer references trend direction tied to explicit projects, not vibes. For more about my background, see Experience; for credentials and verification, visit Certifications.