There's no denying that Key Performance Indicators (KPIs) can be critical for any security program, and many of us are fully aware of that. Nonetheless, in practice, confusion still remains about what security KPIs are crucial to track and how to choose the right KPIs to measure and improve the robustness of your security program.
Here we'll propose a few ideas about how to select and track the right KPIs for your organization.
Security KPIs and security metrics: are they the same?
At the outset, we need to make a few clarifications.
Security KPIs and security metrics are terms often used interchangeably, but there is a slight difference between their meanings. While metrics are "quantifiable measurements" that pertain primarily to your security tactics and quotidian measurement of results, KPIs are measurables relating to your long-term security strategy and ultimate goals. Your chosen security KPIs drive crucial strategic decisions, so your security program might stand or fall with them.
From a slightly different perspective, we can say that "security metrics" is the broader concept of the two. Security KPIs are simply security metrics that carry more weight for an organization than the rest of the security metrics.
By security, we mean both cybersecurity and information security. That implies that we'll use "security KPIs" and "cyber security KPIs" or "cybersecurity KPIs" interchangeably (somewhat loosely, some might say). The same applies to "security metrics," and "cybersecurity metrics."
How to choose your security KPIs
Needless to say, when choosing cybersecurity KPIs, quality should always have precedence over quantity. In this case, quality is synonymous with effectiveness.
What are good indicators of an effective KPI? To be effective, a security KPI should be:
Tracking too many KPIs can place decision-makers in a state of information overload.
To consider what KPIs you should monitor without going down the rabbit hole, you should try to answer the following two simple questions:
Will a particular KPI inspire the most meaningful change in your organization?
Can it be adapted to address unforeseen shortcomings of your security program or increase its applicability?
Security KPIs measured in security operations
Below is a small list of selected critical cybersecurity metrics, i.e., KPIs that Security Operations Centers (SOCs) usually measure. In addition, the list contains some key questions you need to answer when considering whether a cybersecurity metric is a suitable KPI for your company.
Questions to consider
Mean Time to Detect (MTTD)
Are there alternative procedures to reduce the time to detect?
Mean Time to Respond (MTTR)
Are there ways to improve the response phases?
Mean Time to Contain (MTTC)
Can containment techniques be enhanced?
Total number of incidents
How many security incidents are being handled?
Number of false positives
Is there an opportunity for automation to help address the SecOps pain points?
Time to identify an alert as a false positive
Can the time for the discovery of false positives be shortened?
Number of devices being monitored
Which devices pose the greatest attack risk?
Number of incidents per device or host
Are some devices or hosts more prone to false positives?
Number of incidents per service or application
Are specific services or applications more prone to security issues, causing increased security risk?
Number of incidents per account
Are specific accounts (users) more likely to perform risky behavior?
Number of analysts assigned
Can incident response resources be allocated more efficiently?
Average time of the incident phases
Are there any potential improvements to the escalation process that can make security incident handling more efficient?
How often does incident discovery happen manually by an analyst before a received event from a specific technology?
How to track security KPIs
SOAR gives you the tools to keep track of your KPIs by delivering real-time data that can help you review and optimize security operations.
For example, Sumo Logic Cloud SOAR allows you to assess security KPIs crucial to making critical security decisions. With this cybersecurity solution, you can:
Build and maintain situational awareness of the actual state of your security activities in real time
Benchmark and optimize security operation and incident response actions
Analyze over 140 customizable KPIs using a customizable dashboard
Measure each phase of the incident response life cycle separately
At its core, a KPI is a way to measure the success or failure of an overarching business goal, function, or objective. It also informs your strategic decision by providing actionable information. High-quality cybersecurity KPIs serve as a security program enabler and driver for continuous improvement.
Learn how to calculate the ROI of Cloud SOAR
There will never be a set of correct security KPIs for every organization. The goals and objectives of each company will invariably be different, and an organization's KPIs should always reflect individual priorities and circumstances. In other words, your organization's security KPIs should be a function of your company's environment and goals.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.