Last quarter, a CISO asked me how many vulnerabilities we'd remediated. I gave her a number. She asked, "Is that good?" I had no answer. That moment taught me that raw numbers without context are just noise—and it fundamentally changed how I approach security reporting. Here's the framework I've built since then.
Why Most Security Metrics Fail
The trap is easy to fall into: you measure what's easy to count rather than what matters. Tracking "total alerts generated" or "number of patches applied" feels productive, but these vanity metrics tell leadership nothing about actual risk reduction. Effective security metrics answer one question: Are we measurably reducing organizational risk over time?
To get there, you need three layers: operational metrics (for your SOC team), tactical KPIs (for security leadership), and strategic reporting (for executives and the board).
Building Your Metrics Framework
Operational Metrics: The SOC Floor
These are the numbers your analysts live with daily. They drive workflow improvements and staffing decisions.
| Metric | Target Example | Why It Matters |
|---|---|---|
| Mean Time to Detect (MTTD) | < 4 hours | Measures detection capability |
| Mean Time to Respond (MTTR) | < 1 hour | Measures response efficiency |
| Alert-to-Incident Ratio | < 15:1 | Indicates alert tuning quality |
| False Positive Rate | < 30% | Reflects rule/signature accuracy |
You can extract these programmatically. Here's a quick example pulling MTTR data from your SIEM using an Elasticsearch query:
curl -s -X POST "https://siem.internal:9200/incidents-*/_search" \
-H "Content-Type: application/json" \
-d '{
"size": 0,
"query": {
"range": { "@timestamp": { "gte": "now-30d/d" } }
},
"aggs": {
"avg_mttr_minutes": {
"avg": {
"script": "(doc['resolved_at'].value.millis - doc['detected_at'].value.millis) / 60000"
}
}
}
}' | jq '.aggregations.avg_mttr_minutes.value'Tactical KPIs: Security Leadership
These bridge the gap between operations and strategy. Track them monthly:
- Vulnerability remediation SLA compliance — Percentage of critical/high vulnerabilities patched within your defined SLA (e.g., critical within 7 days, high within 30).
- Coverage ratio — Percentage of assets with active EDR, logging, and vulnerability scanning. A 95% detection coverage sounds great until you realize the unmonitored 5% includes your domain controllers.
- Phishing resilience rate — Click-through rate on simulated campaigns, trended over quarters.
Automate coverage checks rather than relying on assumptions:
# Compare asset inventory against EDR enrollment
comm -23 \
<(sort /opt/inventory/all_endpoints.txt) \
<(sort /opt/edr/enrolled_endpoints.txt) \
> /tmp/unprotected_assets.txt
echo "Unprotected endpoints: $(wc -l < /tmp/unprotected_assets.txt)"This one-liner has uncovered blind spots in every environment I've deployed it in.
Strategic Reporting: The Executive Layer
Executives don't want dashboards full of numbers—they want risk context and trend lines. Structure your monthly or quarterly report around:
- Risk posture trend — Are we improving? A single composite score (based on weighted KPIs) trended over 6+ months is powerful.
- Top 5 risks with business impact — Map technical findings to business outcomes: "Unpatched EHR servers expose patient data to ransomware, risking $X in regulatory fines."
- Investment effectiveness — Did the new EDR tool actually reduce MTTD? Show before-and-after data.
Avoiding Common Pitfalls
Don't game your own metrics. If your team closes incidents prematurely to improve MTTR, you've optimized the number while degrading security. Pair efficiency metrics with quality indicators like incident reopening rate.
Normalize for environment changes. A spike in vulnerabilities after onboarding 500 new assets isn't a regression—it's expected growth. Report per-asset ratios alongside raw counts.
Automate collection ruthlessly. Any metric that requires manual spreadsheet work will eventually be abandoned. Use cron jobs, API integrations, and pipeline tools to feed dashboards automatically.
Final Thought
The best security metrics program isn't the most sophisticated—it's the one your team actually maintains and your leadership actually trusts. Start with five well-chosen KPIs, automate their collection, and build credibility through consistency. The numbers will start speaking for themselves.
Have questions about security metrics, kpis, and reporting? I'm always happy to talk shop — reach out or connect with me on LinkedIn.