Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
It’s critical to establish a set of security metrics and KPIs that measure risk improvement and effectiveness of your overall security program for several reasons beyond reporting to the board. Metrics tailored to both your security requirements
and the business will help guide future security decision-making and improve the security posture of your organization.
Security leaders can make it easier to measure risk improvement across vulnerability management, product security and other areas by using a framework to build key performance indicators (KPIs). This piece provides detailed guidance on creating meaningful
security metrics, KPIs and benchmarking.
The two main types of metrics used in security are “deployment” (i.e., percentage of coverage) and “effectiveness” (impact on risk reduction).
Most deployment metrics focus on percentage of coverage. A great example can be seen in the Center for Internet Security (CIS) Metrics. The CIS metrics are supportive
of the broad set of CIS benchmarks and the Top 18 CIS Controls.
CIS metrics break coverage into six “sigma levels.” These are progressive measures of deployment that range from 69% or less to 0.00034% or less (as follows):
For example: What percentage of the organization’s user accounts are not disabled if they cannot be associated with a business process or owner? An answer of 50% would be a Sigma Level One.
Other deployment metrics (also exemplified by CIS) focus on yes/no types of measures. In short, they state whether a control is deployed or not. For example: Does the organization automatically lock workstation sessions after a standard period of inactivity?
Overall, deployment metrics do not reveal the effectiveness of a control. They reflect how good you are at deploying security controls—not if those controls actually work well.
Effectiveness metrics measure the impact a security capability has on reducing risk. An example effectiveness metric could be: 90% of critical vulnerabilities are remediated within two weeks. Strictly speaking, remediation is a process, and the capability
is vulnerability management. A security capability will have several metrics that measure its key processes.
The goal for most metrics is security effectiveness and improvement, but these metrics require more thought. They are often customized to an organization's improvement needs. The following high-level framework makes creating effectiveness metrics simpler.
READ: Establishing Key Metrics to Monitor Network Performance
There are five canonical effectiveness metrics. The first two are “shift-right” measurements, which means they focus on improving the effectiveness of capabilities for cleaning up risk. The last three are “shift-left” metrics that
focus on measuring capabilities that support risk prevention. Below, are vulnerability management examples, used for simplicity and wide usage. However, you can measure any security process this way, be it related to vulnerability management, threat
intelligence, product security or something else. The five metrics are:
READ: Key Server and Endpoint Security Metrics to Track
The five effectiveness metrics help ease KPI development. You can use them across capabilities like vulnerability management, product security, threat intelligence, incident response and more. The goal is to start simple. Start by picking one metric,
one capability and one process. For example:
There are multiple reasons to start here. First, critical vulnerabilities must be fixed. Left unfixed they lead to exploitation and breach. Second, most organizations have vulnerability management programs. Last, measuring remediation can be straightforward.
Either your vulnerability management system or a ticketing system can source the data.
Now that you have your metric, you can create a workable KPI using the following steps:
Over time, you can apply all five metrics across myriad security capabilities and their processes, creating dozens of useful metrics.
READ: Operational Metrics CISOs Should Present to the Board
Creating worthwhile information security metrics and KPIs for executive leaders and the board doesn’t have to be difficult. To improve your chances of
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.