{"id":4914,"date":"2023-02-28T08:00:00","date_gmt":"2023-02-28T08:00:00","guid":{"rendered":"http:\/\/www.sumologic.com\/blog\/how-smart-are-your-security-program-kpis"},"modified":"2025-05-08T19:11:03","modified_gmt":"2025-05-09T03:11:03","slug":"how-smart-are-your-security-program-kpis","status":"publish","type":"blog","link":"https:\/\/www.sumologic.com\/blog\/how-smart-are-your-security-program-kpis","title":{"rendered":"How to choose and track your security KPIs"},"content":{"rendered":"\n<section class=\"e-stn e-stn-0bfc804773fcd27adc327d7e9cf68f630c135ed9 e-stn--glossary-inner-content e-stn--table-of-content\"><div class=\"container\">\n<div class=\"wp-block-b3rg-row e-row row\">\n<div class=\"wp-block-b3rg-column e-col e-col-4c2ac098504c8d5842209f4e79ad21a7aecc0229 e-col--content-wrapper  col-sm-12 col-lg-12 col-xl-12\">\n<div class=\"e-div e-div-fcc2162656fafb8036a2301d0650a2bf3db53895 e-div--card-btn-link\"><div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1400\" height=\"400\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Smart_Secures_KPIs_blog_700x200-1.png\" alt=\"Cybersecurity + KPIs\" class=\"wp-image-4913\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-0610c91bd04b4f284b4aafa691bc724b\">There&#8217;s no denying that Key Performance Indicators (KPIs) can be critical for any security program, and many of us are fully aware of that. Nonetheless, in practice, confusion still remains about what security KPIs are crucial to track and how to choose the right KPIs to measure and improve the robustness of your security program.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-3be17fe3940d7df44f8e4d2bc54b9da8\">Here we&#8217;ll propose a few ideas about how to select and track the right KPIs for your organization.<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-674ad0dcda262a200cacc97754167e1a\" id=\"security_kpis_and_security_metrics:_are_they_the_same?\"><strong>Security KPIs and security metrics: are they the same?<\/strong><\/h2>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-8197c5db9100ae8abb3c7858ca4b15fc\">At the outset, we need to make a few clarifications.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-61efa00f122e72b75aa0b97c60d5f3a5\">Security KPIs and security metrics are terms often used interchangeably, but there is a slight difference between their meanings. While metrics are &#8220;<a href=\"https:\/\/www.gartner.com\/en\/information-technology\/glossary\/security-metrics#:~:text=Security%20metrics%20are%20quantifiable%20measurements,and%20reporting%20of%20relevant%20data.\" target=\"_blank\" rel=\"noopener\">quantifiable measurements<\/a>&#8221; that pertain primarily to your security tactics and quotidian measurement of results, KPIs are measurables relating to your long-term security strategy and ultimate goals. Your chosen security KPIs drive crucial strategic decisions, so your security program might stand or fall with them.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-4aefd0fd21772b07a426d4ea88ab3d0d\">From a slightly different perspective, we can say that &#8220;security metrics&#8221; is the broader concept of the two. Security KPIs are simply security metrics that carry more weight for an organization than the rest of the security metrics.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-01e3365ebd9f9570e44cc9559459d5c4\">By security, we mean both <a href=\"https:\/\/www.sumologic.com\/glossary\/cyber-security\/\">cybersecurity<\/a> and information security. That implies that we&#8217;ll use &#8220;security KPIs&#8221; and &#8220;cyber security KPIs&#8221; or &#8220;cybersecurity KPIs&#8221; interchangeably (somewhat loosely, some might say). The same applies to &#8220;security metrics,&#8221; and &#8220;cybersecurity metrics.&#8221;<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-f1b7a4f76968ac3544d27c837d68ec2c\" id=\"how_to_choose_your_security_kpis\"><strong>How to choose your security KPIs<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-d74ec8700a6f77a6ee97efc29ff6275c\" id=\"quality\"><strong>Quality<\/strong><\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-c43169bbc959b95050260b97b1ca2dd8\">Needless to say, when choosing cybersecurity <a href=\"https:\/\/www.scribd.com\/doc\/37150665\/Deloitte-KPI-and-Measuring-Security\" target=\"_blank\" rel=\"noopener\">KPIs<\/a>, quality should always have precedence over quantity. In this case, quality is synonymous with effectiveness.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-f8e6374589bfb5909377b90cb6bc9ca2\">What are good indicators of an effective KPI? To be effective, a security KPI should be:<\/p>\n\n\n\n<ul>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-d1b2da98358ed77da6604f9c52a5acad\">Simple<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-a28e861fc14de79e998b380a923e4126\">Measurable&nbsp;<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-ab54e7d1cf471cd06ca775666474c737\">Actionable<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-ac20fabb552fdc8b23c6196ea559f72d\">Relevant<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-7f69bc63d3421599eaad9a4473183a17\">Time-based<\/p>\n\n\n\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-172c63150372d6255a8f0f65fefbb6a2\" id=\"quantity\"><strong>Quantity<\/strong><\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-efac3821d66dc5c271f37ea12fe33160\">Tracking too many KPIs can place decision-makers in a state of information overload.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-5a53164f925382d0d072c4ce5ae722c6\">To consider what KPIs you should monitor without going down the rabbit hole, you should try to answer the following two simple questions:<\/p>\n\n\n\n<ul>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-6a6ce3861523aa744b878b23569285fd\">Will a particular KPI inspire the most meaningful change in your organization?<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-ecdb90c76b2743639c57e754a1c1097c\">Can it be adapted to address unforeseen shortcomings of your security program or increase its applicability?<\/p>\n\n\n\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-0a9a10384589730cf8732381c916c623\" id=\"security_kpis_measured_in_security_operations\"><strong>Security KPIs measured in security operations<\/strong><\/h2>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-879f25192bf56091ed5d31b8c717f2e2\">Below is a small list of selected <strong>critica<\/strong>l cybersecurity metrics, i.e., KPIs that Security Operations Centers (SOCs) usually measure. In addition, the list contains some key questions you need to answer when considering whether a cybersecurity metric is a suitable KPI for your company.<\/p>\n\n\n\n<table>\n<tbody>\n<tr>\n<td>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-4221622d18f6a7f326763fccb414f48f\"><strong>KPI<\/strong><\/p>\n\n\n\n<\/td>\n<td>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-72b4c65b1dd2d5da981a6f94a99b2ed1\"><strong>Questions to consider<\/strong><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-701e6a051822358e68862e5720eb4143\"><strong>Mean Time to Detect (MTTD)<\/strong><\/p>\n\n\n\n<\/td>\n<td>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-86ab3342ba6a8efe2eeab4757541543a\">Are there alternative procedures to reduce the time to detect?<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-53b11dbece621aaf3e81661d84992657\"><strong>Mean Time to Respond (MTTR)<\/strong><\/p>\n\n\n\n<\/td>\n<td>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-f6263a19e4a9a3ceb22a21ea4726157e\">Are there ways to improve the response phases?<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-12bb2a15792dc45eaa5b7053b59680f6\"><strong>Mean Time to Contain (MTTC)<\/strong><\/p>\n\n\n\n<\/td>\n<td>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-34fb233ad08617231bafa1277f725896\">Can containment techniques be enhanced?<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-a246d35336061bcc9a6c262860f3eb29\"><strong>Total number of incidents<\/strong><\/p>\n\n\n\n<\/td>\n<td>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-2b0c3b5df945310d52634185913189b0\">How many security incidents are being handled?<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-1ba7afc179f08da0869d6e6d6a6a5e66\"><strong>Number of false positives<\/strong><\/p>\n\n\n\n<\/td>\n<td>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-416832307f3997bcfbc03b30a09bd6f8\">Is there an opportunity for automation to help address the SecOps pain points?<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-861f2110c7d5418189f0639cfad8afe7\"><strong>Time to identify an alert as a false positive<\/strong><\/p>\n\n\n\n<\/td>\n<td>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-54518c744ee3892953768eb07d676d22\">Can the time for the discovery of false positives be shortened?<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-e655b120cf8d231cc1feb528d94ac319\"><strong>Number of devices being monitored<\/strong><\/p>\n\n\n\n<\/td>\n<td>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-e3d40c88f5ff434f92ee145dc7d8fab3\">Which devices pose the greatest attack risk?<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-57ad86ae41d6c91036e54072fa8b38cc\"><strong>Number of incidents per device or host<\/strong><\/p>\n\n\n\n<\/td>\n<td>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-1a302f163b86a6c29eeaf5d6fd6dd08e\">Are some devices or hosts more prone to false positives?<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-4df7c872a79339675b35e0257adf8792\"><strong>Number of incidents per service or application<\/strong><\/p>\n\n\n\n<\/td>\n<td>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-408fe9834e14d6806630e1093e062a2a\">Are specific services or applications more prone to security issues, causing increased security risk?&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-626a3489cdbed726e11b44ff9c5a6733\"><strong>Number of incidents per account<\/strong><\/p>\n\n\n\n<\/td>\n<td>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-cc371788a1e0a4fe9ca4ce41cd93f9ac\">Are specific accounts (users) more likely to perform risky behavior?<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-d54c8566fa62471ddbce3ebc60149d4a\"><strong>Number of analysts assigned<\/strong><\/p>\n\n\n\n<\/td>\n<td>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-b07d0f3080ef1b0660b6810a984d482a\">Can incident response resources be allocated more efficiently?<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-a8987163c367fd09f23f59de02bfb4af\"><strong>Average time of the incident phases<\/strong><\/p>\n\n\n\n<\/td>\n<td>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-6417ec1dd155b8143b6061fd8f62d26b\">Are there any potential improvements to the escalation process that can make security incident handling more efficient?&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-87c3e189070b15db4caf41f4515db129\"><strong>Incident sources<\/strong><\/p>\n\n\n\n<\/td>\n<td>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-a9842098aa870d2e2b3eb904e33cca46\">How often does incident discovery happen manually by an analyst before a received event from a specific technology?<\/p>\n\n\n\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-eaedaf9c4f22e73933b9ee1557b5ac19\" id=\"how_to_track_security_kpis\"><strong>How to track security KPIs<\/strong><\/h2>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-02e1dea318b3885729be3beca5d1bbd1\"><a href=\"https:\/\/www.sumologic.com\/guides\/soar\/\">SOAR<\/a> gives you the tools to keep track of your KPIs by delivering real-time data that can help you review and optimize security operations.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-4b1664a1c1b403adbc89cb2b5f21a1a0\">For example, Sumo Logic Cloud SOAR allows you to assess security KPIs crucial to making critical security decisions. With this cybersecurity solution, you can:<\/p>\n\n\n\n<ul>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-298346b0b22e37b8392a3ae235437fb3\">Build and maintain situational awareness of the actual state of your security activities in real time<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-9f593585d1facbbcd12642b5d5c0bc43\">Benchmark and optimize security operation and incident response actions<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-733dc12f1123098c693ab719aa9292a2\">Analyze over 140 customizable KPIs using a customizable dashboard<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-484bcbd2d74a30a6862fd0854b73bab8\">Measure each phase of the incident response life cycle separately<\/p>\n\n\n\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-e80d7d1755b950e6e77b2e2df20eef80\" id=\"main_takeaways\"><strong>Main takeaways<\/strong><\/h2>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-28b9910df78bbe3478bae1615063cf9d\">At its core, a KPI is a way to measure the success or failure of an overarching business goal, function, or objective. It also informs your strategic decision by providing actionable information. High-quality cybersecurity KPIs serve as a security program enabler and driver for continuous improvement.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-9c9924af241b4c3870cfce718470c759\"><a href=\"https:\/\/www.sumologic.com\/brief\/how-to-calculate-the-roi-of-cloud-soar\/\">Learn how to calculate the ROI of Cloud SOAR<\/a>&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-8dfdde122956e09f4578cff932f8984c\">There will never be a set of correct security KPIs for every organization. The goals and objectives of each company will invariably be different, and an organization&#8217;s KPIs should always reflect individual priorities and circumstances. In other words, your organization&#8217;s security KPIs should be a function of your company&#8217;s environment and goals.&nbsp;<br><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/section>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":121,"featured_media":0,"template":"","meta":{"_acf_changed":false,"show_custom_date":false,"custom_date":"","featured":false,"featured_image":0,"learn_more_label":"","image_alt_text":"","learn_more_type":"","show_popup":false,"learn_more_link_file":0,"event_date":false,"event_start_date":"","event_end_date":"","place_holder_image_url":"","post_reading_time":"3","notification_enabled":false,"notification_text":"","notification_logo":"","notification_expiration_time":0,"is_enable_transparent_header":false,"selected_taxonomy_terms":{"blog-category":[133,127],"blog-tag":[]},"selected_primary_terms":[],"learn_more_link":[],"featured_page_list":[],"notification_enabled_post_list":[],"_gspb_post_css":"","_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"71176,71070,71043","_relevanssi_noindex_reason":"","inline_featured_image":false,"footnotes":""},"blog-category":[133,127],"blog-tag":[],"class_list":["post-4914","blog","type-blog","status-publish","hentry","blog-category-cloud-soar","blog-category-secops-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/4914","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/users\/121"}],"version-history":[{"count":4,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/4914\/revisions"}],"predecessor-version":[{"id":20642,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/4914\/revisions\/20642"}],"wp:attachment":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/media?parent=4914"}],"wp:term":[{"taxonomy":"blog-category","embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog-category?post=4914"},{"taxonomy":"blog-tag","embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog-tag?post=4914"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}