--- title: "Choose and track your security kpis" page_name: "How to choose and track your security KPIs" type: "blog" slug: "how-smart-are-your-security-program-kpis" published_at: "2023-02-28" modified_at: "2025-05-09" url: "https://www.sumologic.com/blog/how-smart-are-your-security-program-kpis" canonical: "https://www.sumologic.com/blog/how-smart-are-your-security-program-kpis" markdown_url: "https://www.sumologic.com/blog/how-smart-are-your-security-program-kpis.md" lang: "en" excerpt: "Key Performance Indicators (KPIs) are crucial to your organization's security, but how do you choose which KPIs to choose and track to enhance your security program? Learn the 5 points of quality." taxonomy_blog_category: - "Cloud SOAR" - "SecOps & Security" --- [ All blogs ](https://www.sumologic.com/blog "blog")[Cloud SOAR](https://www.sumologic.com/blog/cloud-soar), [SecOps & Security](https://www.sumologic.com/blog/secops-security) # How to choose and track your security KPIs [Enrico Benzoni](#blog-author-block-121)[Andrea Fumagalli](#blog-author-block-15) February 28, 2023 3 min read [Cloud SOAR](https://www.sumologic.com/blog/cloud-soar), [SecOps & Security](https://www.sumologic.com/blog/secops-security) ##### Table of contents There’s no denying that Key Performance Indicators (KPIs) can be critical for any security program, and many of us are fully aware of that. Nonetheless, in practice, confusion still remains about what security KPIs are crucial to track and how to choose the right KPIs to measure and improve the robustness of your security program. Here we’ll propose a few ideas about how to select and track the right KPIs for your organization. ## **Security KPIs and security metrics: are they the same?** At the outset, we need to make a few clarifications. Security KPIs and security metrics are terms often used interchangeably, but there is a slight difference between their meanings. While metrics are “[quantifiable measurements](https://www.gartner.com/en/information-technology/glossary/security-metrics#:~:text=Security%20metrics%20are%20quantifiable%20measurements,and%20reporting%20of%20relevant%20data.)” that pertain primarily to your security tactics and quotidian measurement of results, KPIs are measurables relating to your long-term security strategy and ultimate goals. Your chosen security KPIs drive crucial strategic decisions, so your security program might stand or fall with them. From a slightly different perspective, we can say that “security metrics” is the broader concept of the two. Security KPIs are simply security metrics that carry more weight for an organization than the rest of the security metrics. By security, we mean both [cybersecurity](https://www.sumologic.com/glossary/cyber-security/) and information security. That implies that we’ll use “security KPIs” and “cyber security KPIs” or “cybersecurity KPIs” interchangeably (somewhat loosely, some might say). The same applies to “security metrics,” and “cybersecurity metrics.” ## **How to choose your security KPIs** ### **Quality** Needless to say, when choosing cybersecurity [KPIs](https://www.scribd.com/doc/37150665/Deloitte-KPI-and-Measuring-Security), quality should always have precedence over quantity. In this case, quality is synonymous with effectiveness. What are good indicators of an effective KPI? To be effective, a security KPI should be: - Simple - Measurable - Actionable - Relevant - Time-based ### **Quantity** Tracking too many KPIs can place decision-makers in a state of information overload. To consider what KPIs you should monitor without going down the rabbit hole, you should try to answer the following two simple questions: - Will a particular KPI inspire the most meaningful change in your organization? - Can it be adapted to address unforeseen shortcomings of your security program or increase its applicability? ## **Security KPIs measured in security operations** Below is a small list of selected **critica**l cybersecurity metrics, i.e., KPIs that Security Operations Centers (SOCs) usually measure. In addition, the list contains some key questions you need to answer when considering whether a cybersecurity metric is a suitable KPI for your company. | **KPI** | **Questions to consider** **Mean Time to Detect (MTTD)** | Are there alternative procedures to reduce the time to detect? **Mean Time to Respond (MTTR)** | Are there ways to improve the response phases? **Mean Time to Contain (MTTC)** | Can containment techniques be enhanced? **Total number of incidents** | How many security incidents are being handled? **Number of false positives** | Is there an opportunity for automation to help address the SecOps pain points? **Time to identify an alert as a false positive** | Can the time for the discovery of false positives be shortened? **Number of devices being monitored** | Which devices pose the greatest attack risk? **Number of incidents per device or host** | Are some devices or hosts more prone to false positives? **Number of incidents per service or application** | Are specific services or applications more prone to security issues, causing increased security risk? **Number of incidents per account** | Are specific accounts (users) more likely to perform risky behavior? **Number of analysts assigned** | Can incident response resources be allocated more efficiently? **Average time of the incident phases** | Are there any potential improvements to the escalation process that can make security incident handling more efficient? **Incident sources** | How often does incident discovery happen manually by an analyst before a received event from a specific technology? | |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ## **How to track security KPIs** [SOAR](https://www.sumologic.com/guides/soar/) gives you the tools to keep track of your KPIs by delivering real-time data that can help you review and optimize security operations. For example, Sumo Logic Cloud SOAR allows you to assess security KPIs crucial to making critical security decisions. With this cybersecurity solution, you can: - Build and maintain situational awareness of the actual state of your security activities in real time - Benchmark and optimize security operation and incident response actions - Analyze over 140 customizable KPIs using a customizable dashboard - Measure each phase of the incident response life cycle separately ## **Main takeaways** At its core, a KPI is a way to measure the success or failure of an overarching business goal, function, or objective. It also informs your strategic decision by providing actionable information. High-quality cybersecurity KPIs serve as a security program enabler and driver for continuous improvement. [Learn how to calculate the ROI of Cloud SOAR](https://www.sumologic.com/brief/how-to-calculate-the-roi-of-cloud-soar/) There will never be a set of correct security KPIs for every organization. The goals and objectives of each company will invariably be different, and an organization’s KPIs should always reflect individual priorities and circumstances. In other words, your organization’s security KPIs should be a function of your company’s environment and goals. ### Article Tags - [Cloud SOAR](https://www.sumologic.com/blog/cloud-soar) - [SecOps & Security](https://www.sumologic.com/blog/secops-security) Enrico Benzoni Manager, Marketing and Technology Alliances Andrea Fumagalli Senior Director, Customer Engineering [](https://www.sumologic.com/feed "RSS Feed")[](https://twitter.com/intent/tweet?text=How%20to%20choose%20and%20track%20your%20security%20KPIs&url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fhow-smart-are-your-security-program-kpis "X")[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fhow-smart-are-your-security-program-kpis "Facebook")[](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fhow-smart-are-your-security-program-kpis "Linkedin") [Previous blog Find threats: Cloud credential theft on Linux endpoints](https://www.sumologic.com/blog/threat-labs-cloud-theft-linux-credentials)[Next blog Victory over the universe: managing chaos, achieving reliability](https://www.sumologic.com/blog/victory-universe-manage-chaos-slo-methodology) People who read this also enjoyed [ Simplifying your experience: Sumo Logic’s UI evolution September 24, 2024 ](https://www.sumologic.com/blog/simplifying-ui-evolution)[ No-code vs. low-code and near-no-code security automation January 16, 2024 ](https://www.sumologic.com/blog/no-code-vs-low-code-and-near-no-code-security-automation)[ Protecting identities with the Sumo Logic platform January 11, 2024 ](https://www.sumologic.com/blog/protecting-identities-sumo-platform)[ Reliability and security best practices for financial services in ANZ May 23, 2023 ](https://www.sumologic.com/blog/best-practices-financial-services-anz) [AI Instructions](https://www.sumologic.com/ai-instructions.md)