Our systems detected an issue with your IP. If you think this is an error please submit your concerns via our contact form.

Security icon

Build a Security Metrics Program to Drive Maturity

Good metrics come from good goals.

  • Many security leaders put off adding metrics to their program because they don't know where to start or how to assess what is worth measuring.
  • Sometimes, this uncertainty causes the belief that their security programs are not mature enough for metrics to be worthwhile.
  • Because metrics can become very technical and precise,it's easy to think that they're inherently complicated (not true).

Our Advice

Critical Insight

  • The best metrics are tied to goals.
  • Tying your metrics to goals ensures that you are collecting metrics for a specific purpose rather than just to watch the numbers change.

Impact and Result

  • A metric, really, is just a measure of success against a given goal. Gradually, programs will achieve their goals and set new more specific goals, and with them come more-specific metrics.
  • It is not necessary to jump into highly technical metrics right away. A lot can be gained from metrics that track behaviors.
  • A metrics program can be very simple and still effectively demonstrate the value of security to the organization. The key is to link your metrics to the goals or objectives the security team is pursuing, even if they are simple implementation plans (e.g. percentage of departments that have received security training course).

Build a Security Metrics Program to Drive Maturity Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should build a security metrics program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.0/10


Overall Impact

$14,594


Average $ Saved

10


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

City of Tucson Information Technology Department Office of the Deputy Director

Guided Implementation

10/10

$47,950

20

The most valuable aspect of this experience was the advisor's exceptional industry expertise and ability to deliver insights that extended beyond t... Read More

Superior Group of Companies, Inc.

Guided Implementation

10/10

$12,330

5

Louisville and Jefferson County Metropolitan Sewer District

Guided Implementation

7/10

$2,466

2

Petar did a great job and the spreadsheet of metrics was solid. We'll be able to use this tool to help direct some rich discussion on our cyber KP... Read More

University of Tasmania

Guided Implementation

9/10

$1,820

10

Great to see ready to use toolkits.

Braun Intertec Corporation

Guided Implementation

9/10

N/A

N/A

Petar was an amazing resource and his guidance and input was instrumental in the success of this project.

Bath Iron Works Corporation

Guided Implementation

9/10

$12,999

5

Good exchange of ideas and overall communications. Representative was able to take customer's base idea and concepts and translate them into action... Read More

NIPPON GASES EURO-HOLDING, SLU

Guided Implementation

9/10

$10,000

20


Build a Security Metrics Program to Drive Maturity

Good metrics come from good goals.

ANALYST PERSPECTIVE

Metrics are a maturity driver.

"Metrics programs tend to fall into two groups: non-existent and unhelpful.

The reason so many security professionals struggle to develop a meaningful metrics program is because they are unsure of what to measure or why.

The truth is, for metrics to be useful, they need to be tied to something you care about – a state you are trying to achieve. In other words, some kind of goal. Used this way, metrics act as the scoreboard, letting you know if you’re making progress towards your goals, and thus, boosting your overall maturity."

Logan Rohde, Research Analyst, Security Practice Info-Tech Research Group

Executive summary

Situation

  • Many security leaders put off adding metrics to their program because they don't know where to start or how to assess what is worth measuring.

Complication

  • Sometimes, this uncertainty causes the belief that their security programs are not mature enough for metrics to be worthwhile.
  • Because metrics can become very technical and precise, it's easy to think they're inherently complicated (not true).

Resolution

  • A metric, really, is just a measure of success against a given goal. Gradually, programs will achieve their goals and set new, more specific goals, and with them comes more specific metrics.
  • It is not necessary to jump into highly technical metrics right away. A lot can be gained from metrics that track behaviors.
  • A metrics program can be very simple and still effectively demonstrate the value of security to the organization. The key is to link your metrics to the goals or objectives the security team is pursuing, even if they are simple implementation plans (e.g. percentage of departments that have received security training).

Info-Tech Insight

  1. Metrics lead to maturity, not vice versa
    • Tracking metrics helps you assess progress and regress in your security program. This helps you quantify the maturity gains you’ve made and continue to make informed strategic decisions.
  2. The best metrics are tied to goals
    • Tying your metrics to goals ensures that you are collecting metrics for a specific purpose rather than just to watch the numbers change.

Our understanding of the problem

This Research is Designed For:

  • CISO

This Research Will Help You:

  • Understand the value of metrics.
  • Right-size a metrics program based on your organization’s maturity and risk profile.
  • Tie metrics to goals to create meaningful KPIs.
  • Develop strategies to effectively communicate the right metrics to stakeholders.

This Research Will Also Assist:

  • CIO
  • Security Manager
  • Business Professionals

This Research Will Help Them:

  • Become informed on the metrics that matter to them.
  • Understand that investment in security is an investment in the business.
  • Feel confident in the progress of the organization’s security strategy.

Info-Tech’s framework integrates several best practices to create a best-of-breed security framework

Information Security Framework

Governance

  • Context and Leadership
    • Information Security Charter
    • Information Security Organizational Structure
    • Culture and Awareness
  • Evaluation and Direction
    • Security Risk Management
    • Security Policies
    • Security Strategy and Communication
  • Compliance, Audit, and Review
    • Security Compliance Management
    • External Security Audit
    • Internal Security Audit
    • Management Review of Security

Management

  • Prevention
    • Identity Security
      • Identity and Access Management
    • Data Security
      • Hardware Asset Management
      • Data Security & Privacy
    • Infrastructure Security
      • Network Security
      • Endpoint Security
      • Malicious Code
      • Application Security
      • Vulnerability Management
      • Cryptography Management
      • Physical Security
      • Cloud Security
    • HR Security
      • HR Security
    • Change and Support
      • Configuration and Change Management
      • Vendor Management
  • Detection
    • Security Threat Detection
    • Log and Event Management
  • Response and Recovery
    • Security Incident Management
    • Information Security in BCM
    • Security eDiscovery and Forensics
    • Backup and Recovery
  • Measurement
    • Metrics Program
    • Continuous Improvement

Metrics help to improve security-business alignment

While business leaders are now taking a greater interest in cybersecurity, alignment between the two groups still has room for improvement.

Key statistics show that just...

5% of public companies feel very confident that they are properly secured against a cyberattack.

41% of boards take on cybersecurity directly rather than allocating it to another body (e.g. audit committee).

19% of private companies do not discuss cybersecurity with the board.

(ISACA, 2018)

Info-Tech Insight

Metrics help to level the playing field

Poor alignment between security and the business often stems from difficulties with explaining how security objectives support business goals, which is ultimately a communication problem.

However, metrics help to facilitate these conversations, as long as the metrics are expressed in practical, relatable terms.

Security metrics benefit the business

Executives get just as much out of management metrics as the people running them.

  1. Metrics assuage executives’ fears
    • Metrics help executives (and security leaders) feel more at ease with where the company is security-wise. Metrics help identify areas for improvement and gaps in the organization’s security posture that can be filled. A good metrics program will help identify deficiencies in most areas, even outside the security program, helping to identify what work needs to be done to reduce risk and increase the security posture of the organization.
  2. Metrics answer executives’ questions
    • Numbers either help ease confusion or signify other areas for improvement. Offering quantifiable evidence, in a language that the business can understand, offers better understanding and insight into the information security program. Metrics also help educate on types of threats, staff needed for security, and budget needs to decrease risk based on management’s threat tolerance. Metrics help make an organization more transparent, prepared, and knowledgeable.
  3. Metrics help to continually prove security’s worth
    • Traditionally, the security team has had to fight for a seat at the executive table, with little to no way to communicate with the business. However, the new trend is that the security team is now being invited before they have even asked to join. This trend allows the security team to better communicate on the organization’s security posture, describe threats and vulnerabilities, present a “plan of action,” and get a pulse on the organization’s risk tolerance.

Common myths make security metrics seem challenging

Security professionals have the perception that metrics programs are difficult to create. However, this attitude usually stems from one of the following myths. In reality, security metrics are much simpler than they seem at first, and they usually help resolve existing challenges rather than create new ones.

Myth Truth
1 There are certain metrics that are important to all organizations, based on maturity, industry, etc. Metrics are indications of change; for a metric to be useful it needs to be tied to a goal, which helps you understand the change you're seeing as either a positive or a negative. Industry and maturity have little bearing here.
2 Metrics are only worthwhile once a certain maturity level is reached Metrics are a tool to help an organization along the maturity scale. Metrics help organizations measure progress of their goals by helping them see which tactics are and are not working.
3 Security metrics should focus on specific, technical details (e.g. of systems) Metrics are usually a means of demonstrating, objectively, the state of a security program. That is, they are a means of communicating something. For this reason, it is better that metrics be phrased in easily digestible, non-technical terms (even if they are informed by technical security statistics).

Tie your metrics to goals to make them worthwhile

SMART metrics are really SMART goals.

Specific

Measurable

Achievable

Realistic

Timebound

Achievable: What is an achievable metric?

When we say that a metric is “achievable,” we imply that it is tied to a goal of some kind – the thing we want to achieve.

How do we set a goal?

  1. Determine what outcome you are trying to achieve.
    • This can be small or large (e.g. I want to determine what existing systems can provide metrics, or I want a 90% pass rate on our monthly phishing tests).
  2. Decide what indicates that you’ve achieved your goal.
    • At what point would you be satisfied with the progress made on the initiative(s) you’re working on? What conditions would indicate victory for you and allow you to move on to another goal?
  3. Develop a key performance indicator (KPI) to measure progress towards that goal.
    • Now that you’ve defined what you’re trying to achieve, find a way to indicate progress in relative or relational terms (e.g. percentage change from last quarter, percentage of implementation completed, ratio of programs in place to those still needing implementation).

Info-Tech’s security metrics methodology is repeatable and iterative to help boost maturity

Security Metric Lifecycle

Start:

Review current state and decide on priorities.

Set a SMART goal for improvement.

Develop an appropriate KPI.

Use KPI to monitor program improvement.

Present metrics to the board.

Revise metrics if necessary.

Metrics go hand in hand with your security strategy

A security strategy is ultimately a large goal-setting exercise. You begin by determining your current maturity and how mature you need to be across all areas of information security, i.e. completing a gap analysis.

As such, linking your metrics program to your security strategy is a great way to get your metrics program up and running – but it’s not the only way.

Check out the following Info-Tech resource to get started today:

Build an Information Security Strategy

The value of security metrics goes beyond simply increasing security

This blueprint applies to you whether you need to develop a metrics program from scratch or optimize and update your current strategy.

Value of engaging in security metrics:

  • Increased visibility into your operations.
  • Improved accountability.
  • Better communication with executives as a result of having hard evidence of security performance.
  • Improved security posture through better understanding of what is working and what isn’t within the security program.

Value of Info-Tech’s security metrics blueprint:

  • Doesn’t overwhelm you and allows you to focus on determining the metrics you need to worry about now without pressuring you to do it all at once.
  • Helps you develop a growth plan as your organization and metrics program mature, so you continue to optimize.
  • Creates effective communication. Prepares you to present the metrics that truly matter to executives rather than confusing them with unnecessary data. Pay attention to metric accuracy and reproducibility. No management wants inconsistent reporting.

Impact

Short term: Streamline your program. Based on your organization’s specific requirements and risk profile, figure out which metrics are best for now while also planning for future metrics as your organization matures.

Long term: Once the program is in place, improvements will come with increased visibility into operations. Investments in security will be encouraged when more evidence is available to executives, contributing to overall improved security posture. Potential opportunities for eventual cost savings also exist as there is more informed security spending and fewer incidents.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked-off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Link Security Metrics to Goals to Boost Maturity – Project Overview

1. Link Security Metrics to Goals to Boost Maturity 2. Adapt Your Reporting Strategy for Various Metric Types
Best-Practice Toolkit

1.1 Review current state and set your goals

1.2 Develop KPIs and prioritize your goals

1.3 Implement and monitor the KPI to track goal progress

2.1 Review best practices for presenting metrics

2.2 Strategize your presentation based on metric type

2.3 Tailor presentation to your audience

2.4 Use your metrics to create a story about risk

2.5 Revise your metrics

Guided Implementations
  • Call 1: Setting Goals
  • Call 2: KPI Development
  • Call 1: Best Practices and Reporting Strategy
  • Call 2: Build a Dashboard and Presentation Deck
Onsite Workshop Module 1: Current State, Initiatives, Goals, and KPIs Module 2: Metrics Reporting

Phase 1 Outcome:

  • KPI development and populated metrics tracking tool.

Phase 2 Outcome:

  • Reporting strategy with dashboard and presentation deck.

Workshop overview

Contact your account representative or email Workshops@InfoTech.com for more information.

Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
Activities

Current State, Initiatives, and Goals

  • Discuss current state and existing approach to metrics.
  • Review contract metrics already in place (or available).
  • Determine security areas that should be measured.
  • Determine which stakeholders are involved.
  • Review current initiatives to address those risks (security strategy, if in place).
  • Begin developing SMART goals for your initiative roadmap.

KPI Development

  • Continue SMART goal development.
  • Sort goals into types.
  • Rephrase goals as KPIs and list associated metric(s).
  • Continue KPI development.

Metrics Prioritization

  • Lay out prioritization criteria.
  • Determine priority metrics (implementation).
  • Determine priority metrics (improvement & organizational trend).

Metrics Reporting

  • Review metric types and discuss reporting strategies for each.
  • Develop a story about risk.
  • Discuss the use of KPXs and how to scale for less mature programs.

Offsite Finalization

  • Review and finalization of documents drafted during workshop.
Deliverables
  1. Gap analysis results
  1. Completed KPI development templates
  1. Prioritized metrics and tool for tracking and presentation.
  1. Key Performance Index tool and presentation materials.
  1. Finalization of completed deliverables

Phase 1

Link Security Metrics to Goals to Boost Maturity


Phase 1

1.1 Review current state and set your goals

1.2 Develop KPIs and prioritize your goals

1.3 Implement and monitor KPIs

This phase will walk you through the following activities:

  • Current state assessment
  • Setting SMART goals
  • KPI development
  • Goals prioritization
  • KPI implementation

This phase involves the following participants:

  • Security Team

Outcomes of this phase

  • Goals-based KPIs
  • Security Metrics Determination and Tracking Tool

Phase 1 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of two to three advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 1: Link Security Metrics to Goals to Boost Maturity

Proposed Time to Completion: 2-4 weeks

Step 1.1: Setting Goals

Start with an analyst kick-off call:

  • Determine current and target maturity for various security programs.
  • Develop SMART Goals.

Then complete these activities…

  • CMMI Assessment

Step 1.2 – 1.3: KPI Development

Review findings with analyst:

  • Prioritize goals
  • Develop KPIs to track progress on goals
  • Track associated metrics

Then complete these activities…

  • KPI Development

With these tools & templates:

  • KPI Development Worksheet
  • Security Metrics Determination and Tracking Tool

Phase 1 Results & Insights:

  • Basic Metrics program

1.1 Review current state and set your goals

120 minutes

Let’s put the security program under the microscope.

Before program improvement can take place, it is necessary to look at where things are at presently (in terms of maturity) and where we need to get them to.

In other words, we need to perform a security program gap analysis.

Info-Tech Best Practice

The most thorough way of performing this gap analysis is by completing Info-Tech’s Build an Information Security Strategy blueprint, as it will provide you with a prioritized list of initiatives to boost your security program maturity.

Completing an abbreviated gap analysis...

  • Security Areas
  • Network Security
  • Endpoint Security
  • Vulnerability Management
  • Identity Access Management
  • Incident Management
  • Training & Awareness
  • Compliance, Audit, & Review
  • Risk Management
  • Business Alignment & Governance
  • Data Security
  1. Using the CMMI scale on the next slide, assess your maturity level across the security areas to the left, giving your program a score from 1-5. Record your assessment on a whiteboard.
  2. Zone in on your areas of greatest concern and choose 3 to 5 areas to prioritize for improvement.
  3. Set a SMART goal for improvement, using the criteria on goals slides.

Use the CMMI scale to contextualize your current maturity

Use the Capability Maturity Model Integration (CMMI) scale below to help you understand your current level of maturity across the various areas of your security program.

  1. Initial
    • Incident can be managed. Outcomes are unpredictable due to lack of a standard operating procedure.
  2. Repeatable
    • Process in place, but not formally implemented or consistently applied. Outcomes improve but still lack predictability.
  3. Defined
    • Process is formalized and consistently applied. Outcomes become more predictable, due to consistent handling procedure.
  4. Managed
    • Process shows signs of maturity and can be tracked via metrics. Moving towards a predictive approach to incident management.
  5. Optimizing
    • Process reaches a fully reliable level, though improvements still possible. Regularity allows for process to be automated.

(Adapted from the “CMMI Institute Maturity Model”)

Build a Security Metrics Program to Drive Maturity preview picture

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

MEMBER RATING

9.0/10
Overall Impact

$14,594
Average $ Saved

10
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 2-phase advisory process. You'll receive 4 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Link security metrics to goals to boost maturity
  • Call 1: Setting goals
  • Call 2: KPI development

Guided Implementation 2: Adapt your reporting strategy for various metric types
  • Call 1: Best practices and reporting strategy
  • Call 2: Build a dashboard and presentation deck

Authors

Logan Rohde

Ian Mulholland

Contributors

  • Mike Creaney, Senior Security Engineer at Federal Home Loan Bank of Chicago
  • Peter Chestna, Director, Enterprise Head of Application Security at BMO Financial Group
  • Zane Lackey, Co-Founder / Chief Security Officer at Signal Sciences
  • Ben Rothke, Senior Information Security Specialist at Tapad
  • Caroline Wong, Chief Strategy Officer at Cobalt.io
  • 2 anonymous contributors
Visit our Exponential IT Research Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019