What Makes a Good Security Metric?

There’s really one way to determine whether or not your information security program is working — by collecting related data and analyzing it. But the most important factor to consider is which data to share. Data on its own is not going to tell a story and will leave most people frustrated with no more insight than they had before looking at it.

We have tons of data at our fingertips, and any number of ways to arrange, report, and share them with stakeholders. But you’re not just looking to report any data — you’re looking to report metrics. What’s the difference? A metric is something you will manage by, and it drives behavior.

The Good

Gathering metrics should be a major focus — but not a major labor time-sink — for your company. You want the process to be efficient and impactful. Good metrics follow a general guideline of being:

• Easily measured
• Easily understood
• Relevant to decision-making
• Meaningful
• Quantitative
• Consistent
• Aligned with your organization’s risk profile and goals

The first two are pretty straightforward: basically, don’t make things too hard on yourself or anyone else. If five people sit down to calculate a data point and all get a different answer, it’s not a good metric.

A metric should be relevant to decision-making by enabling an actionable response. For example, reporting on the number of closed vulnerabilities each month will help determine if your internal team and/or vendors are effective, or whether a change is needed.

Meaningful metrics show something that is vital to the organization’s operations. Instead of reporting the “level of risk,” which is entirely opinion-based, consider reporting the number of potential attacks per month, which is quantitative and gives a better insight into real risk.

Consistency is important when gathering data from different sources, such as vendor audits or different software programs. If you’re getting different numbers from each source, that’s not going to make for a good metric.

Finally, all metrics should align with or inform departmental and organizational goals. The point is to check performance, and performance is measured against goals.

Look for good metrics in firewall logs, web filter logs, phishing test results, helpdesk tickets, CRM/Salesforce, vulnerability scans, and other security-based reports you can easily pull. Each metric should have a measurement and a time period, and be as quantitative as possible.

The Bad

On the flipside, bad metrics will just frustrate everyone and provide no value, so they’re best avoided. Very simply put, they’ve got opposite characteristics of good metrics. They tend to be:

• Difficult and time-consuming to gather
• Difficult for you or others to understand without extensive explaining
• Inconsistent
• Meaningless or undefined
• Irrelevant to decision-making

Aim for about an hour per month to gather metrics — anything more than that is taking up too much labor time. Don’t have opinion-based metrics or anything that can be interpreted in multiple ways.

Stick to these guidelines, and you’ll be able to put together impactful, decision-informing reports for stakeholders at all levels. Need help with your information security? At Inversion6, our chief information security officers (CISOs) are available to talk through your needs. Fill out the form below, and we’ll get in touch.