There's no denying that Key Performance Indicators (KPIs) can be critical for any security program, and many of us are fully aware of that. Nonetheless, in practice, confusion still remains about what security KPIs are crucial to track and how to choose the right KPIs to measure and improve the robustness of your security program.
Here we'll propose a few ideas about how to select and track the right KPIs for your organization.
Security KPIs and security metrics: are they the same?
At the outset, we need to make a few clarifications.
Security KPIs and security metrics are terms often used interchangeably, but there is a slight difference between their meanings. While metrics are "quantifiable measurements" that pertain primarily to your security tactics and quotidian measurement of results, KPIs are measurables relating to your long-term security strategy and ultimate goals. Your chosen security KPIs drive crucial strategic decisions, so your security program might stand or fall with them.
From a slightly different perspective, we can say that "security metrics" is the broader concept of the two. Security KPIs are simply security metrics that carry more weight for an organization than the rest of the security metrics.
By security, we mean both cybersecurity and information security. That implies that we'll use "security KPIs" and "cyber security KPIs" or "cybersecurity KPIs" interchangeably (somewhat loosely, some might say). The same applies to "security metrics," and "cybersecurity metrics."
How to choose your security KPIs
Quality
Needless to say, when choosing cybersecurity KPIs, quality should always have precedence over quantity. In this case, quality is synonymous with effectiveness.
What are good indicators of an effective KPI? To be effective, a security KPI should be:
Simple
Measurable
Actionable
Relevant
Time-based
Quantity
Tracking too many KPIs can place decision-makers in a state of information overload.
To consider what KPIs you should monitor without going down the rabbit hole, you should try to answer the following two simple questions:
Will a particular KPI inspire the most meaningful change in your organization?
Can it be adapted to address unforeseen shortcomings of your security program or increase its applicability?
Security KPIs measured in security operations
Below is a small list of selected critical cybersecurity metrics, i.e., KPIs that Security Operations Centers (SOCs) usually measure. In addition, the list contains some key questions you need to answer when considering whether a cybersecurity metric is a suitable KPI for your company.
KPI |
Questions to consider |
Mean Time to Detect (MTTD) |
Are there alternative procedures to reduce the time to detect? |
Mean Time to Respond (MTTR) |
Are there ways to improve the response phases? |
Mean Time to Contain (MTTC) |
Can containment techniques be enhanced? |
Total number of incidents |
How many security incidents are being handled? |
Number of false positives |
Is there an opportunity for automation to help address the SecOps pain points? |
Time to identify an alert as a false positive |
Can the time for the discovery of false positives be shortened? |
Number of devices being monitored |
Which devices pose the greatest attack risk? |
Number of incidents per device or host |
Are some devices or hosts more prone to false positives? |
Number of incidents per service or application |
Are specific services or applications more prone to security issues, causing increased security risk? |
Number of incidents per account |
Are specific accounts (users) more likely to perform risky behavior? |
Number of analysts assigned |
Can incident response resources be allocated more efficiently? |
Average time of the incident phases |
Are there any potential improvements to the escalation process that can make security incident handling more efficient? |
Incident sources |
How often does incident discovery happen manually by an analyst before a received event from a specific technology? |
How to track security KPIs
SOAR gives you the tools to keep track of your KPIs by delivering real-time data that can help you review and optimize security operations.
For example, Sumo Logic Cloud SOAR allows you to assess security KPIs crucial to making critical security decisions. With this cybersecurity solution, you can:
Build and maintain situational awareness of the actual state of your security activities in real time
Benchmark and optimize security operation and incident response actions
Analyze over 140 customizable KPIs using a customizable dashboard
Measure each phase of the incident response life cycle separately
Main takeaways
At its core, a KPI is a way to measure the success or failure of an overarching business goal, function, or objective. It also informs your strategic decision by providing actionable information. High-quality cybersecurity KPIs serve as a security program enabler and driver for continuous improvement.
Learn how to calculate the ROI of Cloud SOAR
There will never be a set of correct security KPIs for every organization. The goals and objectives of each company will invariably be different, and an organization's KPIs should always reflect individual priorities and circumstances. In other words, your organization's security KPIs should be a function of your company's environment and goals.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.
