Pricing Login
Pricing
Back to blog results

February 28, 2023 By Andrea Fumagalli and Enrico Benzoni

How to choose and track your security KPIs

Cybersecurity + KPIs

There's no denying that Key Performance Indicators (KPIs) can be critical for any security program, and many of us are fully aware of that. Nonetheless, in practice, confusion still remains about what security KPIs are crucial to track and how to choose the right KPIs to measure and improve the robustness of your security program.

Here we'll propose a few ideas about how to select and track the right KPIs for your organization.

Security KPIs and security metrics: are they the same?

At the outset, we need to make a few clarifications. 

Security KPIs and security metrics are terms often used interchangeably, but there is a slight difference between their meanings. While metrics are "quantifiable measurements" that pertain primarily to your security tactics and quotidian measurement of results, KPIs are measurables relating to your long-term security strategy and ultimate goals. Your chosen security KPIs drive crucial strategic decisions, so your security program might stand or fall with them.

From a slightly different perspective, we can say that "security metrics" is the broader concept of the two. Security KPIs are simply security metrics that carry more weight for an organization than the rest of the security metrics. 

By security, we mean both cybersecurity and information security. That implies that we'll use "security KPIs" and "cyber security KPIs" or "cybersecurity KPIs" interchangeably (somewhat loosely, some might say). The same applies to "security metrics," and "cybersecurity metrics."

How to choose your security KPIs

Quality

Needless to say, when choosing cybersecurity KPIs, quality should always have precedence over quantity. In this case, quality is synonymous with effectiveness.

What are good indicators of an effective KPI? To be effective, a security KPI should be:

  • Simple

  • Measurable 

  • Actionable

  • Relevant

  • Time-based

Quantity

Tracking too many KPIs can place decision-makers in a state of information overload.

To consider what KPIs you should monitor without going down the rabbit hole, you should try to answer the following two simple questions:

  • Will a particular KPI inspire the most meaningful change in your organization?

  • Can it be adapted to address unforeseen shortcomings of your security program or increase its applicability?

Security KPIs measured in security operations

Below is a small list of selected critical cybersecurity metrics, i.e., KPIs that Security Operations Centers (SOCs) usually measure. In addition, the list contains some key questions you need to answer when considering whether a cybersecurity metric is a suitable KPI for your company.

KPI

Questions to consider

Mean Time to Detect (MTTD)

Are there alternative procedures to reduce the time to detect?

Mean Time to Respond (MTTR)

Are there ways to improve the response phases?

Mean Time to Contain (MTTC)

Can containment techniques be enhanced?

Total number of incidents

How many security incidents are being handled?

Number of false positives

Is there an opportunity for automation to help address the SecOps pain points?

Time to identify an alert as a false positive

Can the time for the discovery of false positives be shortened?

Number of devices being monitored

Which devices pose the greatest attack risk?

Number of incidents per device or host

Are some devices or hosts more prone to false positives?

Number of incidents per service or application

Are specific services or applications more prone to security issues, causing increased security risk? 

Number of incidents per account

Are specific accounts (users) more likely to perform risky behavior?

Number of analysts assigned

Can incident response resources be allocated more efficiently?

Average time of the incident phases

Are there any potential improvements to the escalation process that can make security incident handling more efficient? 

Incident sources

How often does incident discovery happen manually by an analyst before a received event from a specific technology?

How to track security KPIs

SOAR gives you the tools to keep track of your KPIs by delivering real-time data that can help you review and optimize security operations.

For example, Sumo Logic Cloud SOAR allows you to assess security KPIs crucial to making critical security decisions. With this cybersecurity solution, you can:

  • Build and maintain situational awareness of the actual state of your security activities in real time

  • Benchmark and optimize security operation and incident response actions

  • Analyze over 140 customizable KPIs using a customizable dashboard

  • Measure each phase of the incident response life cycle separately

Main takeaways

At its core, a KPI is a way to measure the success or failure of an overarching business goal, function, or objective. It also informs your strategic decision by providing actionable information. High-quality cybersecurity KPIs serve as a security program enabler and driver for continuous improvement.

Learn how to calculate the ROI of Cloud SOAR 

There will never be a set of correct security KPIs for every organization. The goals and objectives of each company will invariably be different, and an organization's KPIs should always reflect individual priorities and circumstances. In other words, your organization's security KPIs should be a function of your company's environment and goals. 

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial

Andrea Fumagalli and Enrico Benzoni

Senior Director, Customer Engineering | Manager, Marketing and Technology Alliances

More posts by Andrea Fumagalli and Enrico Benzoni.

More posts by Andrea Fumagalli and Enrico Benzoni.

People who read this also enjoyed