Successful security leaders demonstrate their effectiveness through metrics. Metrics are used more and more as security executives emulate the way their counterparts in operations, finance, HR, and marketing operate who have used metrics to evaluate and track success for decades. Similarly, security metrics show the value or return on investment for information security initiatives and controls bring to the business, but only a third of managers use them.
The first thing you will need to do is select metrics that are important to your organization. This is crucial because a Ponemon study found that half the metrics in use are not properly aligned with business objectives. Some metrics for your consideration are provided and categorized below. In choosing a metric, identify ones that are directly related to the successful operation or risk mitigation in your company and use them to show employees that security matters. You will find that the use of metrics makes it easier for managers and employees to see how their efforts are improving security and it can give them pride in what they do and they demonstrate the effectiveness of your work.
Access control metrics are useful for measuring the effectiveness of controls that allow the use of systems and data for authorized users and deny use to unauthorized users.
- Percentage of false positive access rejections
- Percentage of users requiring a password reset in the last 30 days
Security program management
Security program management metrics measure the effectiveness of information security administrative functions.
- Number of days since an unauthorized change was made
- Percentage of changes that were reviewed for security impact
- Average time to patch systems following patch release
Awareness and Training
Security awareness and training metrics measure the level of investment given to furthering and solidifying skills in information security for both information security practitioners and employees.
- Percentage of employees who receive over 80 percent on awareness tests
- Average security awareness training hours taken for employees annually
Business continuity metrics measure the level of planning and effectiveness of controls and procedures used to ensure availability of key systems. Such controls are enacted in response to a state of emergency where critical systems become unavailable. Metrics in this area may measure the downtime incurred, level of response necessary or the effectiveness of backup operations and recovery.
- Number of days since the last system failure
- Availability percentage of key information systems
- Average recovery time objective (Time it takes to restore data and bring systems back online)
Incident response metrics are concerned with the effectiveness of activities taken to detect and correct information security incidents. Incidents are defined as situations where information security controls are compromised, subverted or circumvented. Incidents may or may not result in loss of data confidentiality, integrity or availability.
- Average number of hours needed to recover from a system failure
- Percentage of incidents reported within a specified period
- Number of days since the last security incident
Data encryption and destruction
Data encryption and destruction metrics track important data relative to how well the organization protects data that is stored on devices or transmitted over a network and how well data is permanently erased when not needed anymore.
- Percentage of encrypted mobile systems
- Percentage of decommissioned hard drives that were wiped and/or destroyed
Risk management metrics measure and track how well the organization is identifying and limiting risk.
- Percentage of risks identified requiring mitigation that was successfully mitigated within specified time frames
- Number of risks exceeding the established organizational risk tolerance level
- Average number of days from vulnerability discovery to remediation
Security metrics are crucial in determining the effectiveness of your security program. As you can see from the examples above, metrics can be defined for a variety of areas depending on your business goals. I encourage you to design meaningful metrics for your company. Meet with other business leaders or stakeholders and determine what is most important to the success and growth of your business and which metrics describe the way security contributes to these goals. I would also love to hear about the metrics that are especially important to you. Tell me how you measure your success?