Are there any specific KPIs or metrics that you use to measure the effectiveness of your security programs?

14k views3 Upvotes7 Comments

Chief Security Officer in Software, 10,001+ employees
We measure a lot of things at Pearson, from number of endpoints that have antivirus or certain controls in place to a number of systems that are patched and when they're patched. We also measure risk exceptions. Then we report not only the number of open exceptions that we have, but the risk level those exceptions have too.

So, if there are 100 critical risks open for longer than a certain period of time, we attract that because it goes back to the conversation of business impact. We try and put a metric and measurement on everything and it ties into not only our strategic goals, but also into our tactical goals for the year. They are also tied to individuals goals to measure how they are trying to drive the security of the business to match those strategic objectives. We do that across the board with the KPIs that we have. We've been pretty successful with that.
Senior Security and Compliance Auditor in Software, 1,001 - 5,000 employees
I think it’s important to measure the human component as well as the technical details. Measuring service uptime, infected devices, incidents/attacks, and Patching/AV status is necessary but not the full picture. I perform phishing tests and nighttime desktop audits to verify people are doing the right things (plus it makes them very aware). I trend audit findings/recommendations to not only fix issues but get to the root cause of an issue that was fixed the year before. Often the root cause for these issues is people and sometimes that people is me. If you have regular third-party audits from customers, regulators, and certification bodies and if some of those auditors are in the financial, healthcare, government or telecom industries you will have enough data to tell you where to focus your efforts.
CIO in Finance (non-banking), 51 - 200 employees
Nist tier rank (capability)
Training scores (people)
Simulated Phishing scores (people)
External risk assessment and penetration testing results tied to NIST (snapshots)
Incident response readiness (more qualitative)
Recovery time objectives and recovery point objective (measured in hours and minutes)
Third party risk scores (nist based)
CIO in Finance (non-banking), 51 - 200 employees
Also trend lines on vulnerabilities, incidents, suspicious activities
CIO in Finance (non-banking), 51 - 200 employees
Vulnerabilities per line of code written. In the development team
Co-Founder and Director in Software, 2 - 10 employees
The training scores of security engineers, vulnerability assessment scores, Audit report analysis and quality assurance, Assessment time and response time.
CASH Europe IT Director in Transportation, 51 - 200 employees
KPI of security depends on the business line. In my eyes I would look at : 
Compliance results ( mainly certificate audits)
Penetration results
Use of security tools to make users "life" easier
Employee education program

Content you might like

Strongly agree5%




Strongly disagree3%


1.3k views3 Comments

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
48.5k views133 Upvotes326 Comments