Connect with us

Hi, what are you looking for?


Management & Strategy

The Art of Measuring Security Success

It’s Time to Stop Measuring Security Success by Only Internal, Readily-available Metrics

It’s Time to Stop Measuring Security Success by Only Internal, Readily-available Metrics

As the budget planning season approaches, discussions of how to measure security success to justify resource allocation or expansion return to the agenda. There are plenty of great articles that can help you identify security metrics to demonstrate the value of security programs, but before leaping to the selection of metrics, we must first define success. This can be more of an art rather than science.

Security tools are also good at telling us how many attacks we’ve thwarted, how many systems we have hardened or how many authentications require a second factor. We also get reports on how our controls measure up to our policies through compliance audits. While it’s easy to rely on metrics that are readily available, how does one determine which metrics are actually a measure of security success as it pertains to the overall business priorities?

Mature organizations tend to focus on measuring risks and how they are being mitigated, which is ultimately what IT security is all about. But even the best organizations can fall into the trap of evaluating themselves against the wrong criteria.

Measuring Security Effectiveness  To really measure achievements in security programs, we must first define what success looks like.

Who defines success?

Security teams, like any other team, will gravitate towards self-definition of success. But if budget justification, or even higher aspirations such as business enablement, is the objective, then success factors are not solely determined by internal stakeholders. Instead, these factors must come from the needs of the business. The problem is that the business has no idea how to describe what they want from security other than “don’t get hacked” and “make the auditors happy.”

One easy-to-use model that may help bridge the gap between security teams and business managers to collaborate on goal planning is called “GOSPA.” It’s an acronym that stands for Goals, Objectives, Strategies, Plans and Actions. It is hierarchical in nature so that each layer supports the one above it. So, for example, you could start with a realistic goal such as:

Advertisement. Scroll to continue reading.

Minimize the risk of a data breach or information loss to the standards of peers within our industry.

This could then be built into objectives such as:

• Reduce the time to complete system updates (application of patches) by 50%

• Increase the use of two-factor authentication to cover 100% of sensitive data

• Implement privileged account management for all administrators 

Objectives have an associated strategy to accomplish them, subdivided into plans, which are then broken down into specific actions or tasks for workers to carry out.

While strategy and actions will drive the overall business success, objectives are the measurable component and these are what you need to define with your business relationship manager. Education on the costs to achieve the agreed upon objectives is also a step in this process. If decision makers balk at the costs, then there is room to revise the objectives so they are realistic for the business.

Measure for business health

Working with the business is a two-way street. While it is necessary for security to educate business partners on what is needed to achieve goals, the business must be prepared to deliver specific plans and priorities to the security team as well. In other words, the business must share the measures of their own success.

That information must inform the planning and priorities of security. Current budgeted items and projects must be reconsidered at least annually to determine if they are necessary and align with the business plans.

For example, if you blow your entire budget on next-generation firewall upgrades, but it turns out that the mid-year business initiative to engage customers better with a new mobile app has a rogue administrator that is selling personal information, then security is misaligned. With the rapid pace of digital transformation, it’s crucial to remember that the timeframe to pivot security accordingly is shrinking as businesses are driven by competitors to become more agile in their response to ever-changing market demands.

The art of measuring security success comes down to this business alignment. It isn’t always an obvious one-to-one match, but the effort must be made nonetheless. Increasingly, security will be driven to “shift-left” by the DevOps (or DevSecOps) movement. It’s time to stop measuring security success by internal, readily-available metrics, and leverage shared objectives to drive greater alignment with business priorities.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.