Security icon

Build a Security Metrics Program to Drive Maturity

Good metrics come from good goals.

Get Instant Access to this Blueprint

Contributors

  • Mike Creaney, Senior Security Engineer at Federal Home Loan Bank of Chicago
  • Peter Chestna, Director, Enterprise Head of Application Security at BMO Financial Group
  • Zane Lackey, Co-Founder / Chief Security Officer at Signal Sciences
  • Ben Rothke, Senior Information Security Specialist at Tapad
  • Caroline Wong, Chief Strategy Officer at Cobalt.io
  • 2 anonymous contributors

Your Challenge

  • Many security leaders put off adding metrics to their program because they don't know where to start or how to assess what is worth measuring.
  • Sometimes, this uncertainty causes the belief that their security programs are not mature enough for metrics to be worthwhile.
  • Because metrics can become very technical and precise,it's easy to think that they're inherently complicated (not true).

Our Advice

Critical Insight

  • The best metrics are tied to goals.
  • Tying your metrics to goals ensures that you are collecting metrics for a specific purpose rather than just to watch the numbers change.

Impact and Result

  • A metric, really, is just a measure of success against a given goal. Gradually, programs will achieve their goals and set new more specific goals, and with them come more-specific metrics.
  • It is not necessary to jump into highly technical metrics right away. A lot can be gained from metrics that track behaviors.
  • A metrics program can be very simple and still effectively demonstrate the value of security to the organization. The key is to link your metrics to the goals or objectives the security team is pursuing, even if they are simple implementation plans (e.g. percentage of departments that have received security training course).

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should build a security metrics program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Guided Implementations

This guided implementation is a four call advisory process.

Guided Implementation #1 - Link security metrics to goals to boost maturity

Call #1 - Setting goals
Call #2 - KPI development

Guided Implementation #2 - Adapt your reporting strategy for various metric types

Call #1 - Best practices and reporting strategy
Call #2 - Build a dashboard and presentation deck

Onsite Workshop

Unlock This Blueprint

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Current State, Initiatives, and Goals

The Purpose

Create a prioritized list of goals to improve the security program’s current state.

Key Benefits Achieved

Insight into the current program and the direct it needs to head in.

Activities

Outputs

1.1

Discuss current state and existing approach to metrics.

1.2

Review contract metrics already in place (or available).

1.3

Determine security areas that should be measured.

1.4

Determine what stakeholders are involved.

1.5

Review current initiatives to address those risks (security strategy, if in place).

  • Gap analysis results
1.6

Begin developing SMART goals for your initiative roadmap.

  • SMART goals

Module 2: KPI Development

The Purpose

  • Develop unique KPIs to measure progress against your security goals.

Key Benefits Achieved

  • Learn how to develop KPIs
  • Prioritized list of security goals

Activities

Outputs

2.1

Continue SMART goal development.

2.2

Sort goals into types.

2.3

Rephrase goals as KPIs and list associated metric(s).

  • KPI Evolution Worksheet
2.4

Continue KPI development.

Module 3: Metrics Prioritization

The Purpose

Determine which metrics will be included in the initial program launch.

Key Benefits Achieved

A set of realistic and manageable goals-based metrics.

Activities

Outputs

3.1

Lay out prioritization criteria.

3.2

Determine priority metrics (implementation).

  • Prioritized metrics
3.3

Determine priority metrics (improvement & organizational trend).

  • Tool for tracking and presentation

Module 4: Metrics Reporting

The Purpose

Strategize presentation based around metric type to indicate organization’s risk posture.

Key Benefits Achieved

Develop versatile reporting techniques

Activities

Outputs

4.1

Review metric types and discuss reporting strategies for each.

4.2

Develop a story about risk.

4.3

Discuss the use of KPXs and how to scale for less mature programs.

  • Key Performance Index Tool and presentation materials

Search Code: 93969
Published: September 18, 2020
Last Revised: September 18, 2020

Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019