Security icon

Implement and Optimize an Effective Security Management Metrics Program

Make your security analytics useful for governing your business operations & security program.


This content requires an active subscription.

Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.

Speak With A Representative Sign In
or Call: 1-888-670-8889 (US) or 1-844-618-3192 (CAN)

View Storyboard

Solution Set Storyboard thumbnail


  • Tom Johnston, Director – IT Governance, Applied Industrial Technologies
  • Ben Lennox, Director – Service Management, Sun Life Financial 
  • Vivek Shivananda, CEO, Rsam
  • David Scott, Chief – Software Development, CSG Invotas
  • Jack Jones, Principal, CXOWARE, Inc.
  • Trey Ford, Global Security Strategist, Rapid7
  • Shari Breiten, Operational Risk Director, Principal Financial Group
  • Andre Da Silva, Manager Business Security, nbn Australia 
  • Jim Halpert, Global Co-Chair, Data Protection, Privacy and Security, DLA Piper
  • Larry Clinton, President, Internet Security Alliance
  • David Mortman, Chief Security Architect and Distinguished Engineer, Dell
  • Louis Lerman, IT Officer, International Monetary Fund
  • VP – Security Engineering and Operations, Financial Organization
  • Chief Information Security Officer, Government Services

Your Challenge

  • Security investments, requiring time and money, are often made without adequate supporting information as to the relative benefit of one investment vs. another.
  • Many organizations and subject matter experts recognize the difficulty of establishing and maintaining an effective metrics program. This results in an inability to acquire management/leadership support for changes or additions needed for the security technology, policy, and process environment.
  • In a resource-constrained environment, availability of additional resources for investment will be limited without solid evidence. Metrics allow the organization to understand its current state and highlight unnecessary risks and opportunities to reduce those risks.

Our Advice

Critical Insight

  • Value vs. effort: The success of a metrics program is largely due to understanding the difference between quality and quantity. Attempting to measure anything and everything is not an efficient use of staff time and creates the potential for inconsistent measurements. For the most efficiency, devote your time to knowing what metrics will be provided to your organization, as well as assurance of their relevance, reliability, and reproducibility.
  • Metrics are a journey, not a destination: An effective metrics program takes time. Identifying which stage your organization is at in terms of your metrics needs – minimum, recommended, or advanced metrics – allows you to prioritize which metrics you need to measure now and how your organization can continue to mature in metrics.
  • Justify the spend: Use metrics to support your security investments with tangible, quantitative evidence. Communicate with management and facilitate decision making with objective benefits, rationales, and risks to back funding of security controls. Metrics can be used to prove which investments are worthwhile to the organization.

Impact and Result

  • Short term: Streamline your program. Based on your organization’s specific requirements and risk profile, figure out what metrics are best for now while also planning for future metrics as your organization matures. Choose metrics that focus on overall business impact and provide the most actionable insight, rather than numbers for the sake of numbers.
  • Long term: Once the program is in place, improvements will come with increased visibility into operations. Investments in security will be encouraged with more evidence available to executives, contributing to improved security posture overall. Potential for eventual cost savings also exists as there is more informed security spend and fewer incidents.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should implement a security management metrics program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Establish baseline metrics

Assess the necessity of metrics and identify the organization’s risk tolerance level to determine corresponding recommended security management metrics.

2. Develop the metrics program roadmap

Prioritize the list of metrics to develop a strategic roadmap for tracking and reporting management metrics.

3. Track and report the metrics

Understand tools available to track metrics and guidance for reporting what matters.

Guided Implementations

This guided implementation is an eight call advisory process.

Guided Implementation #1 - Establish your metrics baseline

Call #1 - Discuss metrics overview, current state, and key metric information collection
Call #2 - Assess current and target state
Call #3 - Analyze gaps (if not achieved in second call)

Guided Implementation #2 - Develop metrics program roadmap

Call #1 - Prioritize metrics and create library
Call #2 - Develop roadmap
Call #3 - Identify potential data sources and collection methods

Guided Implementation #3 - Track and report metrics

Call #1 - Review basic metric tracking
Call #2 - Discuss communication strategies

Onsite Workshop

Discuss This Workshop

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Establish the Baseline Metrics

The Purpose

  • Understand how metrics can be valuable to your organization.
  • Identify where your organization currently stands with respect to metrics and where improvements can be made.
  • Determine which metrics make sense for your organization to track.

Key Benefits Achieved

  • Increased visibility into the current metrics program.
  • Understanding of an optimal metrics program.
  • Narrowed focus on relevant metrics.




Discuss the value of metrics and different types

  • Value of metrics

Determine risk tolerance level

  • Risk tolerance level

Discuss target state of recommended metrics

  • List of recommended metrics

Conduct current state assessment

  • Current state

Review gap analysis

  • Understanding of gaps

Complete Security Metrics Worksheet

  • Shortlist of potential metrics

Module 2: Develop the Metrics Program Roadmap

The Purpose

  • Rather than tracking all metrics from the get-go, determine a staggered timeline to implement the metrics program.
  • Make metrics more than just data points by providing context and analysis.  

Key Benefits Achieved

  • Make the metrics program more digestible and easy to implement.
  • Discover how to make metrics valuable to provide insight into the organization’s security program. 




Prioritize the suggested metrics

  • Order of tracking, based on factors such as affordability and alignment with business objectives

Develop a metrics roadmap

  • Formalized timeline of metric tracking

Create a library of metrics

  • Formalized summary of metrics

Discuss data sources and collection methods

  • Understanding of data collection processes

Understand how to make data useful

  • Strategy to make metrics valuable

Module 3: Track and Report the Metrics

The Purpose

  • Use the most appropriate tracking tools relative to your needs.
  • Create a concise, valuable presentation to share key metrics.
  • Optimize the program to avoid wasting resources tracking no-longer-relevant metrics.

Key Benefits Achieved

  • Various tracking tools investigated.
  • Clear and efficient presentation of metrics to management.
  • Optimized metrics program.




Discuss methods of tracking metrics

  • Options to track metrics

Prepare communication material to share findings with management

  • Clear guidelines on sharing key metrics with management

Understand how to review the success of the metrics program

  • Understanding of successful/unsuccessful metrics

Search Code: 76651
Published: December 22, 2014
Last Revised: September 3, 2015