Get Instant Access
to This Blueprint

Security icon

Build a Security Metrics Program to Drive Maturity

Good metrics come from good goals.

  • Many security leaders put off adding metrics to their program because they don't know where to start or how to assess what is worth measuring.
  • Sometimes, this uncertainty causes the belief that their security programs are not mature enough for metrics to be worthwhile.
  • Because metrics can become very technical and precise,it's easy to think that they're inherently complicated (not true).

Our Advice

Critical Insight

  • The best metrics are tied to goals.
  • Tying your metrics to goals ensures that you are collecting metrics for a specific purpose rather than just to watch the numbers change.

Impact and Result

  • A metric, really, is just a measure of success against a given goal. Gradually, programs will achieve their goals and set new more specific goals, and with them come more-specific metrics.
  • It is not necessary to jump into highly technical metrics right away. A lot can be gained from metrics that track behaviors.
  • A metrics program can be very simple and still effectively demonstrate the value of security to the organization. The key is to link your metrics to the goals or objectives the security team is pursuing, even if they are simple implementation plans (e.g. percentage of departments that have received security training course).

Build a Security Metrics Program to Drive Maturity Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should build a security metrics program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.


Overall Impact


Average $ Saved


Average Days Saved




$ Saved

Days Saved

TransForm Shared Service Organization

Guided Implementation




Kansas Public Employees Retirement System

Guided Implementation




Viridor Energy Limited

Guided Implementation




Alberta Blue Cross

Guided Implementation




New York University in Abu Dhabi Corporation – Abu Dhabi

Guided Implementation





Guided Implementation




Onsite Workshop: Build a Security Metrics Program to Drive Maturity

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Current State, Initiatives, and Goals

The Purpose

Create a prioritized list of goals to improve the security program’s current state.

Key Benefits Achieved

Insight into the current program and the direct it needs to head in.




Discuss current state and existing approach to metrics.


Review contract metrics already in place (or available).


Determine security areas that should be measured.


Determine what stakeholders are involved.


Review current initiatives to address those risks (security strategy, if in place).

  • Gap analysis results

Begin developing SMART goals for your initiative roadmap.

  • SMART goals

Module 2: KPI Development

The Purpose

  • Develop unique KPIs to measure progress against your security goals.

Key Benefits Achieved

  • Learn how to develop KPIs
  • Prioritized list of security goals




Continue SMART goal development.


Sort goals into types.


Rephrase goals as KPIs and list associated metric(s).

  • KPI Evolution Worksheet

Continue KPI development.

Module 3: Metrics Prioritization

The Purpose

Determine which metrics will be included in the initial program launch.

Key Benefits Achieved

A set of realistic and manageable goals-based metrics.




Lay out prioritization criteria.


Determine priority metrics (implementation).

  • Prioritized metrics

Determine priority metrics (improvement & organizational trend).

  • Tool for tracking and presentation

Module 4: Metrics Reporting

The Purpose

Strategize presentation based around metric type to indicate organization’s risk posture.

Key Benefits Achieved

Develop versatile reporting techniques




Review metric types and discuss reporting strategies for each.


Develop a story about risk.


Discuss the use of KPXs and how to scale for less mature programs.

  • Key Performance Index Tool and presentation materials

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

Member Rating

Overall Impact

Average $ Saved

Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 2-phase advisory process. You'll receive 4 touchpoints with our researchers, all included in your membership.

Guided Implementation #1 - Link security metrics to goals to boost maturity
  • Call #1 - Setting goals
  • Call #2 - KPI development

Guided Implementation #2 - Adapt your reporting strategy for various metric types
  • Call #1 - Best practices and reporting strategy
  • Call #2 - Build a dashboard and presentation deck


Logan Rohde

Ian Mulholland


  • Mike Creaney, Senior Security Engineer at Federal Home Loan Bank of Chicago
  • Peter Chestna, Director, Enterprise Head of Application Security at BMO Financial Group
  • Zane Lackey, Co-Founder / Chief Security Officer at Signal Sciences
  • Ben Rothke, Senior Information Security Specialist at Tapad
  • Caroline Wong, Chief Strategy Officer at
  • 2 anonymous contributors
Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019