Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
The best security metrics programs support a variety of needs, from the operational to the tactical and strategic. This piece explains how to build a metrics program that aligns with the needs of various stakeholders and helps support actionable decision-making across the business.
Organizations often struggle to establish effective security metrics programs. Threats are constantly evolving, and many teams are missing key performance indicators (KPIs) or using metrics that lack strong industry alignment. In addition, some teams present operational metrics to C-level executives and board members and are then surprised when decisions and budgetary investments get bogged down.
Elite security metrics programs align with key stakeholders (operational, tactical and strategic) to drive decisions and support actions. For this alignment to happen, however, data must be captured and presented in a way that provides the right degree of actionable information for each level.
More importantly, security metrics must be clear, concise, and easy to understand. Figure 1 explains the different features of operational, tactical, and strategic metrics.
Data and information are critical at the operational level. Some organizations choose to match processes with tools and make reviewing these technology-specific dashboards and metrics part of the daily playbook. For example, vulnerability scanners often have dashboards and metrics built into the product.
These dashboards feature a high percentage of high-severity vulnerabilities, which may trigger a threshold for the operator to kick off a task to bring that number back in line with expectations.
Operational metrics are seldom used for strategic decision-making unless they are tied together to support a strategic outcome. In essence, they provide data that can be rolled up to support higher-level decisions.
Program-level projects and operational health dashboards often incorporate strategy and vision at the tactical level. Strategic input, tactical metrics and reporting align to fulfill the organization’s strategy and support key decision-makers. This data often originates from:
You can find most of these metrics in systems that support security. Standard practice is to assemble a dashboard for key decision-makers, so they can engage directly with the content during their reviews. Consider creating a dashboard of dashboards (see an example in Figure 2) to make the content more easily digestible, either in a slide deck or using a data visualization tool.
The goal is to make it easy to find critical data to support tactical decisions and meet the objectives outlined in the strategy. Your tactical metrics will evolve based on staff skills, completeness of planning, threat evolution and incidents where it’s clear the existing strategy is off target and requires course correction.
Tactical-level metrics and reporting are often used during program reviews discussing project progress and security investments. It is important to approach the information through the lens of automation: How automated (manual, semi-automated or fully automated) is the process being reported on? Group the metrics accordingly.
For example, tactical metrics can highlight when a manual process needs improvement or when a semi-automated process needs to scale. Identifying these opportunities enables teams to effectively use resources and investments and address gaps in strategic funding and budgeting.
DOWNLOAD: The 2023 Security Budget Benchmark Report
Strategic Metrics: Convert Strategy into Goals
C-level executives and board members meet routinely to discuss organization wide performance against strategic milestones—often once a quarter and centered around investment decisions. To align with this practice, consider converting the organization’s security strategy into top-level goals, with defined investments and KPIs.
Also, consider presenting the data in the same manner (summaries, format, etc.) as other departments. If this isn’t possible, try to use a consistent, durable format that can be replicated, regardless of the security process.
At the executive and board levels, strategy is commonly translated into organization-wide improvements with health metrics to demonstrate progress. This is not necessarily standard practice for security, however, reporting to the board is still quite new and we are still working out the best methods to standardize content.
That said, it’s important to consider how boards consume content:
Information is usually conveyed in a slide deck, so the board can pre-read the deck before the formal discussion.
Tips to Build a Strong Metrics Program
As you align your metrics, consider the following steps:
Each year, IANS, in partnership with Artico Search, releases a series of benchmark reports on CISO compensation, security budgets, organizational design, staff compensation, and job satisfaction.
These in-depth reports feature new takeaways, uncover a wealth of insights, and provide valuable leadership guidance to fine-tune your current role, department, and career path.
Download our Security Budget Benchmark Report – the first in our CISO Comp and Budget Report series – and gain access to key budgetary data and other valuable insights helpful to gain security investment buy-in.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
November 30, 2023
By IANS Research
CISOs, find guidance on what to focus on within the first 30 days, 6 months and first year of your tenure to ensure a fast, successful start.
November 28, 2023
Use this checklist of best practices, designed to help CISOs and cybersecurity leaders protect their organizations and avoid SEC compliance missteps.
November 21, 2023
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Organization and Compensation Benchmark Report. Gain valuable insights on functional leadership compensation to hire and retain top security talent.