Build a Security Metrics Program to Drive Maturity
Good metrics come from good goals.
RETIRED CONTENT
Please note that the content on this page is retired. This content is not maintained and may contain information or links that are out of date.Lack of a metrics program makes it difficult to assess how well the security program is doing on a day-to-day basis and stifles opportunities to measure improvement over time and can lead to:
- Lack of maturity.
- Inability to explain value of security.
- No objective way to measure progress or improvements.
A goals-based metrics program will help to:
- Increase business-security alignment.
- Explain what security is doing and its overall effect on the organization.
- Allow you to prioritize security goals and measure progress to completion.
- Provide you with greater insight into the program and how performance in one area influences others.
Book Your Workshop
Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.
Module 1: Current State, Initiatives, and Goals
The Purpose
Create a prioritized list of goals to improve the security program’s current state.
Key Benefits Achieved
Insight into the current program and the direct it needs to head in.
| Activities: | Outputs: | |
|---|---|---|
| 1.1 | Discuss current state and existing approach to metrics. |
|
| 1.2 | Review contract metrics already in place (or available). |
|
| 1.3 | Determine security areas that should be measured. |
|
| 1.4 | Determine what stakeholders are involved. |
|
| 1.5 | Review current initiatives to address those risks (security strategy, if in place). |
|
| 1.6 | Begin developing SMART goals for your initiative roadmap. |
|
Module 2: KPI Development
The Purpose
- Develop unique KPIs to measure progress against your security goals.
Key Benefits Achieved
- Learn how to develop KPIs
- Prioritized list of security goals
| Activities: | Outputs: | |
|---|---|---|
| 2.1 | Continue SMART goal development. |
|
| 2.2 | Sort goals into types. |
|
| 2.3 | Rephrase goals as KPIs and list associated metric(s). |
|
| 2.4 | Continue KPI development. |
|
Module 3: Metrics Prioritization
The Purpose
Determine which metrics will be included in the initial program launch.
Key Benefits Achieved
A set of realistic and manageable goals-based metrics.
| Activities: | Outputs: | |
|---|---|---|
| 3.1 | Lay out prioritization criteria. |
|
| 3.2 | Determine priority metrics (implementation). |
|
| 3.3 | Determine priority metrics (improvement & organizational trend). |
|
Module 4: Metrics Reporting
The Purpose
Strategize presentation based around metric type to indicate organization’s risk posture.
Key Benefits Achieved
Develop versatile reporting techniques
| Activities: | Outputs: | |
|---|---|---|
| 4.1 | Review metric types and discuss reporting strategies for each. |
|
| 4.2 | Develop a story about risk. |
|
| 4.3 | Discuss the use of KPXs and how to scale for less mature programs. |
|