Building a Holistic Cybersecurity Metrics Program

Matthew Pascucci September 27, 2018

Establishing organizational and security operations metrics improves management and reduces company risk

An organization's ability to discover and reduce risk in a more preventative manner rests heavily on having clear cybersecurity and security operations metrics. 

security operations metrics

Understanding the overall security posture of your enterprise is determined by creating a baseline of select organizational and security operations metrics. With baseline numbers established, you can then begin to increase visibility, education and improvement to both technology and processes within your program. Metrics should be garnered from critical assets with risks and improvements presented to key stakeholders within the organization. These metrics help determine where particular areas of a program are running smoothly and where additional insight should be applied.

Defining the cybersecurity metrics that matter to your organization

Start by understanding your organization's critical assets. This could include everything from sensitive customer data and company IP to users and devices. I almost always suggest starting with anything compliance-related or having to do with public assets. These are the areas where you should be building metrics first. Ultimately, you're looking to measure your ability to effectively and proactively secure your company's most valuable assets. Ensuring visibility into these areas first is vital to identifying lapses in performance that could compromise security and triggering response to get processes back on track.

After you've identified what needs to be monitored,  you need to start collecting information and determining what data points are available. The process for collecting metrics is an important discussion item, since we want to limit as much manual effort as possible. Determining what information to collect and how you'll gather and analyze this data is a crucial step in your metrics journey. You'll also want to gut-check your identified metrics with a risk-based team, if available, to determine prioritization of the remediation efforts when those needs arise.

Baselines set the stage for goal-setting and measuring progress

Creating baselines is what you’ll use to determine the current cybersecurity maturity of your organization overall as well as your SOC. Baselines also help you identify any outliers or blatant concerns which require urgent attention. By creating this foundation and setting standards reflecting what’s normal within your organization, you create a basis for setting goals and milestones. Included in your baselines should also be an understanding of industry standards and your organization's appetite/tolerance for risk. Without these, identifying future goals is destined to be a fruitless exercise.

As an example, let's say you set a goal of having all Windows systems patched within one week of new Microsoft patches being released. To set this as an effective goal, you would need to have already done the following:

  1. Baseline the current state of your patching performance - what is the current time frame for new patches to be applied?
  2. Understand your organization's risk tolerance - how long are unpatched systems acceptable?

Only by understanding these elements can you determine if a one-week patching window is actually a good, reasonable, achievable goal.

Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Subscribe to Email Updates

Top Stories