Definition

Security metrics are measurements of key performance indicators that help  organizations establish relationships between different dimensions of their  security strategy.

Business applications

Security metrics are often used to justify security spending to C-level executives, whether by illustrating the present risk or showing how  security investments have helped mitigate risk. For example, an organization  might measure the number of incidents that occurred within an IT infrastructure  during a given time period, and the amount of time and money needed to resolve  them. This data may help the organization demonstrate a need for additional  security spending or prove a return on technology investment.

Deployment Concerns

Given the dynamic nature of technology and the threat  landscape, security metrics quickly become outdated. They also lack standardization, so organizations  cannot easily compare their security posture to best practices or even other  organizations within the same industry. Organizations can deploy an automated  security metrics program to help ensure that metrics are current, but they are  still limited in their ability to compare metrics.

When presenting security metrics, IT professionals must be  careful to present the findings in relation to the business.  C-level executives and upper-management must be able to understand the business  impact of the security metrics to understand how they justify security  spending.