In the world of cybersecurity, we've all encountered those articles: lists that tell us the top ten metrics to track to improve performance, strengthen security posture or communicate and impress the board. Many of these lists include metrics such as MTTD, MTTR and Average Vendor Security Rating as a few examples.The purpose of these lists is to help us understand where we are, map where we are heading, and work with our peers to reduce risk and exposure to threats.
The cybersecurity industry is still grappling with the rather new challenge of finding the right recipe for the right metrics. We see a range of leading firms and cybersecurity leaders intensively debating and writing on this topic. From Google security leadership to metrics aficionados and naturally the risk rating leadership, all are well focused on “what needs to be measured”.
While it’s a good start to know WHAT metrics to measure, the real challenge is understanding HOW to streamline continuous measurements.
Metrics can’t stand alone.
Metrics need to be interconnected to provide a dynamic view of our organization’s security landscape and how we’re performing against a range of parameters, among them risk tolerance and policies. But in todays’ reality there’s a major gap between cybersecurity measurements and a real-time, comprehensive understanding – such an understanding would allow the cybersecurity leadership to see what's actually happening, proactively spot gaps, prioritize the most critical risks to the organization and execute an action plan accordingly.
So, even if I would share in this article the top ten metrics I think are the most important to measure, it would only be the first step and would depend on the particular purpose and audience of your particular organization. The real power comes from correlating your metrics—understanding how one variable influences another and creating a dynamic, comprehensive narrative about the organization's security performance.
Why current methods for metrics are failing
In my work with security organizations, I’ve encountered three common (yet inefficient) approaches to measuring cybersecurity effectiveness. First, there’s the overwhelming reliance on spreadsheets—a sea of endless rows and columns, with metrics meant to represent the organization’s security posture, but often only add to the complexity.
Second, there’s the attempt to integrate analytics tools with cybersecurity tools, which creates a disconnect, as data professionals typically lack the nuanced understanding of security, while cybersecurity experts may not fully grasp the data analytics side. Finally, many organizations turn to the Big Four consulting firms, only to receive yet another massive spreadsheet.
Each of these approaches reveals the same core issue: they lack real applicability, leaving security teams in the dark rather than equipped to act. These methods yield static results; they are cumbersome, manual and stand-alone whereas security is constantly evolving and interrelated.
Security leaders cannot capture something so fluid and complex with tools that are frozen in time. They need something agile that connects the dots and places measurements (of performance, risk, threats) in context.
I have also learned from customers who have spent years and millions of dollars building their own metric automation programs that these are the key challenges: (1) Identifying which data is truly important (2) Continually collecting and maintaining the data (3) Incorporating the security context when it’s the data analysts in charge of managing the data. It is no wonder that so many customers give up on inhouse metric programs after investing so much time and money.
You need real-time data that goes beyond being static numbers. This data needs to be flexible, showing historical trends as well as being adaptable to the perspectives that matter most today. Only then can your organization truly grasp what’s happening, identify gaps, and take meaningful, prioritized action.
A key example: Vulnerability Prioritization
There are countless examples of how correlating metrics can make a real difference. Here’s one that I see our customers find especially valuable – Vulnerabilities. A vulnerability management solution might flag 1,000+ endpoints as critical. But how do you know which ones to address first?
By correlating vulnerability data with asset management information, you can gain key insights into which business units those endpoints belong to.
You can take it a step further by adding identity security data: Which users are connected to these endpoints? Are they admins? Do they have access to sensitive financial or intellectual property data? Have any of these users been targeted by phishing attacks?
This automated lens of enriched context (rather than a siloed list of metrics) allows you to prioritize vulnerabilities based on their actual risk to your business, ensuring your actions align with the most critical objectives and business impact.
The same would be true when prioritizing the endpoints without any coverage (by correlating data from Crowdstrike and Kandju), or prioritizing unscanned projects (by correlating data from Skyk and GitHub), or prioritizing which users haven’t offboarded properly (by correlating data from Workday and Azure).
Unlocking the Full Potential of Security Metrics
The true power of metrics lies in their ability to help prioritize. Only by moving beyond isolated “top ten metrics to measure” lists can security leaders and teams identify interrelated patterns that span multiple layers of their security stack. This shift not only unlocks deeper insights but also drives more efficient workflows and leads to more impactful outcomes.
Originally published on Cyber Defense Magazine, January 2025.
