More I interact with security ‘thought leaders’ more I understand why so many companies have terrible security posture and why security is perceived as a pain-in-the-ass-showstopper.
Lots of middle-management ‘security’ experts suck shit socially, that’s why.
There are no metrics which you can use to immediately measure the direct ROI of empathy and being a nice to your coworkers.
Being a good person is just the right thing to do. When you’re nice to your peers, they want to be nice to you and will more likely help you when you need them.
Policies and procedures are meant to remove the roadblocks, not to be ones.
If metrics are more important to you than people, then numbers won’t ever look well.
Each tech business is a people business, the technology comes second. I wish more [security] folks understood that just because you can’t reliably justify the time spent on security awareness education and relations building doesn’t mean you shouldn’t be doing it.
First you need to give it a try and then in long term perspective you can measure how effective it is by analyzing e.g. lower number of security incidents, however the most sane metric is to count how often people stop by your desk to talk with you about their problems and projects.
There are ways, so when you say “can’t find metrics” then it’s just a cheap excuse. It’s your job to do whatever it takes to earn a budget for it and if it means you need to educate your superiors to start respecting intangible metrics then you should do that.