Everyone always asks what are the best security metrics to have? The answer is simple to me, use metrics that are valuable to your business governance and decision-making processes! Easy right.

Not so easy in real life right!

I did a post about this in 2021 which looked at a more operationalised view on cyber metrics, today I’m going to try and think about this from a “more business perspective”. In reality like I say time and time again, it needs to be meaningful to your organisation and it needs to be something that support decision making and investment decisions for your business mission and objectives.

Business and Cyber Metrics

This really does depend on the nature, size and scale of the business but let’s start to think about these:

  • Security Investment Costs Last Qtr./Period
  • Number of Major Security Incidents
  • Number of Minor Security Incidents
  • Number of Security events
  • Number of Incidents avoided/prevented
  • Number of Opportunities lost due to failing to meet cyber security criteria
  • Number of Opportunities won where cyber security was a factor
  • Security Team Headcount
  • Security Team Headcount per FTE
  • Suppliers Meeting Cyber Assurance
  • Suppliers Failing Cyber Assurance
  • Number of Security Testing exercises performed
  • Number of risks on the risk register by status
  • Single Loss Expectancy Mean
  • Single Loss Expectancy Max
  • Single Loss Expectancy Min
  • Annual Loss Expectancy Mean
  • Annual Loss Expectancy Max
  • Annual Loss Expectancy Min

None of these are particularly in the weeds and they should contribute to the business success story, if there are drastic changes in this over time you can probably use them to help decision making. For each metric I would want to understand the “so what” factor against historic trend and against decision making outcome.

  • If headcount decreases, so what?
  • If we lose 1 sale due to security capability gaps, so what?

By ensuring we have metrics that are meaningful it means we can make good business and security (risk, safety, and quality) decisions for out stakeholders. Oh, and remember, metrics may need to evolve as time goes on, perfect doesn’t really exist!