Connect with us

Hi, what are you looking for?


Management & Strategy

Are You All Talk? How to Ensure Your Security Metrics Measure Up

Saying you’re secure is one thing; having the metrics to prove it is another, particularly when it comes to justifying security budgets.

Having metrics to focus on can make these conversations easier, security pros say.

Saying you’re secure is one thing; having the metrics to prove it is another, particularly when it comes to justifying security budgets.

Having metrics to focus on can make these conversations easier, security pros say.

Security Metrics for IT BudgetsBut what metrics should security professionals think about to prove the strength of their team? Several people shared their ideas with SecurityWeek.

When it comes to dealing with upper management, cost and compliance are the magic words, Rich Mogull, CEO of security advisory firm Securosis, told SecurityWeek.

“In today’s environment I would focus on two things,” Mogull said. “First, focus on metric showing compliance and how you are maintaining that compliance over time and at what cost. Reducing deficiencies over time is a really good one.”

“Then focus on things that demonstrate operational efficiency,” he said. “Things like reducing helpdesk calls which actually helps reduce overall cost to the organization. Or patching more efficiently and again at lower cost.”

Tom Rabaut, an analyst with RedSeal Systems, listed a number of metrics security teams should pay attention to – from the number of vulnerabilities on systems exposed to the Internet and extranet partners to the number of systems exposed to external networks that allow access using accounts not managed by a centralized authentication server. Still, he noted that there are no specific metrics that are best for communicating to executives. There are however, some things he contended security pros should keep in mind when communicating any metric.

“Frame the metric with a narrative,” he said. “What is the objective of the metric? If it pertains to a specific threat then explain the threat. What is the goal of the metric? And should it be increasing or decreasing?”

Advertisement. Scroll to continue reading.

He also recommended using scorecards to frame the metric in the context of the business. Reporting the metric by business unit or business service is a good example and it communicates the metric in a context that is more applicable to executives, he said.

Joe Gottlieb, CEO of Sensage, recently sat on a panel with Rabaut at the Hacker Halted Conference on the subject of metrics in Miami two weeks ago. In an email to SecurityWeek, Gottlieb said Sensage customers regularly ask the company to monitor everything from the number of alerts, user access behavior and the number of downloads by users, with the last item being used for comparison purposes to determine if a computer has been compromised by botnet malware.

“Security Metrics are really difficult to demonstrate,” declared Andrew Plato, president of IT consultancy Anitian Enterprise Security. “Security just does not lend itself to clearly defined metrics. There are some basic technical metrics that can be looked at: number of incidents, number of virus outbreaks, and so forth. These can be translated into a monetary expense with some estimation. But those are always going to be based on a lot of assumptions.”

“I think the best metric is – what does your third party assessment say each year? A strong security team should be getting strong marks from a third party assessor,” he said. “That is really the ultimate metric.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.