Build a Security Metrics Program to Drive Maturity
Good metrics come from good goals.
- Many security leaders put off adding metrics to their program because they don't know where to start or how to assess what is worth measuring.
- Sometimes, this uncertainty causes the belief that their security programs are not mature enough for metrics to be worthwhile.
- Because metrics can become very technical and precise,it's easy to think that they're inherently complicated (not true).
Our Advice
Critical Insight
- The best metrics are tied to goals.
- Tying your metrics to goals ensures that you are collecting metrics for a specific purpose rather than just to watch the numbers change.
Impact and Result
- A metric, really, is just a measure of success against a given goal. Gradually, programs will achieve their goals and set new more specific goals, and with them come more-specific metrics.
- It is not necessary to jump into highly technical metrics right away. A lot can be gained from metrics that track behaviors.
- A metrics program can be very simple and still effectively demonstrate the value of security to the organization. The key is to link your metrics to the goals or objectives the security team is pursuing, even if they are simple implementation plans (e.g. percentage of departments that have received security training course).
Build a Security Metrics Program to Drive Maturity Research & Tools
Start here – read the Executive Brief
Read our concise Executive Brief to find out why you should build a security metrics program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.
1. Link security metrics to goals to boost maturity
Develop goals and KPIs to measure your progress.
2. Adapt your reporting strategy for various metric types
Learn how to present different types of metrics.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
9.6/10
Overall Impact
$7,266
Average $ Saved
9
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
TransForm Shared Service Organization
Guided Implementation
10/10
$10,000
10
Kansas Public Employees Retirement System
Guided Implementation
9/10
N/A
2
Viridor Energy Limited
Guided Implementation
9/10
$1,800
2
Alberta Blue Cross
Guided Implementation
10/10
$10,000
20
New York University in Abu Dhabi Corporation – Abu Dhabi
Guided Implementation
10/10
N/A
10
Allegis
Guided Implementation
9/10
$2,479
2
Onsite Workshop: Build a Security Metrics Program to Drive Maturity
Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Current State, Initiatives, and Goals
The Purpose
Create a prioritized list of goals to improve the security program’s current state.
Key Benefits Achieved
Insight into the current program and the direct it needs to head in.
Activities
Outputs
Discuss current state and existing approach to metrics.
Review contract metrics already in place (or available).
Determine security areas that should be measured.
Determine what stakeholders are involved.
Review current initiatives to address those risks (security strategy, if in place).
- Gap analysis results
Begin developing SMART goals for your initiative roadmap.
- SMART goals
Module 2: KPI Development
The Purpose
- Develop unique KPIs to measure progress against your security goals.
Key Benefits Achieved
- Learn how to develop KPIs
- Prioritized list of security goals
Activities
Outputs
Continue SMART goal development.
Sort goals into types.
Rephrase goals as KPIs and list associated metric(s).
- KPI Evolution Worksheet
Continue KPI development.
Module 3: Metrics Prioritization
The Purpose
Determine which metrics will be included in the initial program launch.
Key Benefits Achieved
A set of realistic and manageable goals-based metrics.
Activities
Outputs
Lay out prioritization criteria.
Determine priority metrics (implementation).
- Prioritized metrics
Determine priority metrics (improvement & organizational trend).
- Tool for tracking and presentation
Module 4: Metrics Reporting
The Purpose
Strategize presentation based around metric type to indicate organization’s risk posture.
Key Benefits Achieved
Develop versatile reporting techniques
Activities
Outputs
Review metric types and discuss reporting strategies for each.
Develop a story about risk.
Discuss the use of KPXs and how to scale for less mature programs.
- Key Performance Index Tool and presentation materials
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 2-phase advisory process. You'll receive 4 touchpoints with our researchers, all included in your membership.
Guided Implementation #1 - Link security metrics to goals to boost maturity
- Call #1 - Setting goals
- Call #2 - KPI development
Guided Implementation #2 - Adapt your reporting strategy for various metric types
- Call #1 - Best practices and reporting strategy
- Call #2 - Build a dashboard and presentation deck
Contributors
- Mike Creaney, Senior Security Engineer at Federal Home Loan Bank of Chicago
- Peter Chestna, Director, Enterprise Head of Application Security at BMO Financial Group
- Zane Lackey, Co-Founder / Chief Security Officer at Signal Sciences
- Ben Rothke, Senior Information Security Specialist at Tapad
- Caroline Wong, Chief Strategy Officer at Cobalt.io
- 2 anonymous contributors
