Every area of business has specific performance metrics that should be monitored.
These metrics are key performance indicators that display a measurable value that shows the progress of a company's business goals. Security is supposed to be automatic, but actually it requires the act to push the button.
Too much technical jargon is being presented to the chief executive and the board. Indeed, security leaders and their organizations have used a myriad of metrics over the years. But still, many executives and board members have complained that those measures failed to provide them with adequate insight.
As security gains greater visibility in boardrooms, security professionals are increasingly asked to provide metrics to track the current state of a company's defenses. But which numbers really matter and which don’t?
3 Valuable Metrics
Business goals are rising, just as having a true business outcome. However, security management advisors say they still see value in many metrics historically used by the security team. What’s more important is measuring the effectiveness of your systems to protect against those and to protect against their impact on the business. Here are 3 valuable metrics that you can use to provide that much-needed context.
Time to Detect
Using metrics like mean time to detect – the measure of how long it took from the time of a successful attack to the time of detection, because that, too, indicates how well a security program works and can be tracked to show improvement.
Penetration testing
Like simulated phishing attacks, metrics around penetration testing indicate how well an organization can resist such events and can track improvements over time.
Time To Recover
How quickly the security team resolved the issue, and whether that time meets, exceeds or falls short of targeted times based on the organization’s established appetite for risk.
2 Metrics To Abandon (Patches completed and Vulnerabilities identified)
While these measures might make sense as an internal measurement of work done or be required to confirm an organization is compliant with certain regulations, they have little to no value in and of themselves. One can be lull into a false sense of security.
Top comments (0)