Connect with us

Hi, what are you looking for?


Network Security

Security Metrics – Why Should You Care?

Most of the complex fields humans engage in develop their own terminology, which then becomes a problem of translation for the expert. One of the fundamental problems for security at the “C-level” is to translate between security’s inner language, which tends to be about risk, and business’ inner language, which is about money and opportunity.

Most of the complex fields humans engage in develop their own terminology, which then becomes a problem of translation for the expert. One of the fundamental problems for security at the “C-level” is to translate between security’s inner language, which tends to be about risk, and business’ inner language, which is about money and opportunity. The problem a lot of us security practitioners have is that we can’t really talk sensibly about risk without trying to quantify it, because the others at the “C-level” are going to want to make a risk/reward judgment and, all too often, we’re kind of waving our hands and the best we can do is point to some of the other casualties by the road-side and say “well, look what happened to them!

Metrics are critical for our ability to do better at our jobs, to quantify where we are succeeding and to measure what works, and how well it’s working.

Security Metrics

A great deal of the responsibility for our difficulty with metrics is because of the rapidly changing technological landscape that we’re dealing with. We had a decade or so to get used to firewalls and anti-virus and then the WWW came along, and a decade after that it’s “Cloud Computing” and we can’t really be said to understand the benefits of a firewall, yet. In the meanwhile, the firewall we’re talking about has changed profoundly, as well. Unlike in fields where there are large-scale demographics and metrics, we’re stymied by our inability to make truly effective recommendations by the lack of underlying information about the long-term effectiveness of what we’re recommending. For example, automotive safety studies can tell us (with some confidence) that you’re reducing your chance of injury by 90% if you wear your seatbelt. Have you ever been asked “do we really need a firewall?” and been left with your jaw hanging and your hands waving?

Senior security practitioners (here, I’m talking about the people who report to the CSO/CISO) are working at the level where metrics are important. It’s not the case that a security practitioner is going to have to walk into a meeting with a CEO or board of directors, and make a case for something-or-other with a bunch of PowerPoint pie charts. That’s the wrong level of the discussion for metrics. The metrics come in where the senior security practitioners develop understanding about what’s going on in their organization, and provide that information to the “C-level” as input into critical decisions. I’m sure that there have been cases where security metrics wind up being presented to the CEO, but, in general, we’re talking about back-and-forth at the higher end of the technical contributors and between business units.

Before we go further, let me offer a couple of quick definitions for security metrics. A fairly formal way of putting it would be: Security metrics are data points that provide analytical insights into an enterprise security posture.

 Metrics provide insights into the dimensions of an enterprise cyber security program and usually consist of things like: counts of things – numbers of servers, numbers of incidents, numbers of vulnerable hosts; risk extrapolations based on enterprise’s assessments of importance and vulnerability, operational effectiveness “speeds and feeds” or comparative benchmarks that measure how security practice compares with other organizations in the same space or scope.

My favorite definition of metrics is: A metric is some data and an algorithm for reducing and presenting it to tell a story.

Ultimately, the metrics exist to justify your existence at that level of the organization. If you can’t show that you’re succeeding or failing, someone else is going to leap to their own conclusions on that matter – which means you’d better hope they convince themselves you’re effective, rather than not. In fact, I’d argue that if you focus your metrics production on that one question: “Am I succeeding?” you’re probably heading in the right direction, metrics-wise. The answer might be “no” in which case you’re still heading in the right direction, metrics-wise though your career may be in a nose-dive otherwise.

Advertisement. Scroll to continue reading.

As a set of corollaries to that, there are some more detailed purposes for metrics:

  To justify your budget

  To argue for change

  Because it’s fun 

I read somewhere that “Math is the language of physics” and I’m tempted to say that “Metrics are the language of security” but doing that would reveal the sorry state that security is, in a lot of places. We are only just starting to be able to collect more useful information about breaches (see my interview with Jay Jacobs here) but we’re still a far cry from being able to make prescriptive declarations like: “You should wear your seatbelt and here’s why”)

Traffic Accident Charts

Source: National Highway Transportation Safety Administration

And, make no mistake, that kind of declarative prescription is what security practitioners at the senior and C-level are here to do. The chart above is an example of what I’d consider a well-presented metric; it’s the kind of thing that makes its case simply and quickly, and focuses the reader’s mind directly on the problem it is analyzing. If the question we were trying to ask was “Do seatbelts work?” the only argument that chart would leave is debaters’ arguments about “what does ‘work’ mean?” or questions about injuries versus fatalities, etc. During the remainder of this series we’ll get into those kinds of questions in more detail. For now, we should be thinking about how to make a case for security that is that effectively communicated.

Next up: We’ll dig into The Scientific Method and how metrics are a critical component of mankind’s greatest and most important activity, and the relationship between metrics and statistics.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...