Building meaningful security metrics
Many people in various security disciplines are looking to metrics as a way to demonstrate the efficacy of their efforts and show continuous process improvement.
Unfortunately, poorly constructed metrics usually create more confusion than insight.
If I told you that testing discovered nine critical vulnerabilities last month, what knowledge have I imparted? Does it clarify improvement from last month/last year? Does it imply that you are testing more broadly across your portfolio to eliminate detection gaps? Does it mean you simply changed the definition for “critical”?
A metric without larger context is just a number (and if it’s just a color, then it probably hides more than it tells). True metrics are valuable because they provide specific decision-support information to the person who needs it. The key is to link each metric directly to a specific question (literally, an interrogative sentence) about whether the firm is achieving a business goal. This creates a useful and objective indicator of whether security initiatives are moving the firm in the right direction by the expected amount. Because well-constructed goals include business benefits, the associated metrics now convey tangible contribution to the organization.
Linking security metrics to business goals expresses security initiatives in the language of business and clarifies how the security efforts directly contribute to organizational health. In addition to compliance, risk management, and other goals, this linkage is critical to the budgeting process, as management is far more comfortable allocating funds to achieving tangible results than amorphous targets such as making the organization “more secure.” The metrics demonstrate continuous improvement over time, establishing trust with management and thereby further reducing friction in the budgeting process.
