Metrics are one of management’s most important tools, but only when the right metrics are chosen. Pick the wrong metrics, and you’ll spend a lot of time and money optimizing numbers that don’t really matter. The right metrics are the ones that align with business functions.
Factors to Help Pick the Right Metrics
The key to choosing the right metrics is knowing your objectives and understanding your resources. The metrics chosen may be driven by internal business goals or externally imposed regulations, but they should relate to a clearly expressed goal that isn’t just about refining that particular metric. The business or IT team should be able to take actions impact that metric, either positively or negatively. If the metric is completely uncontrollable, it may be interesting to know, but it has no impact on decisions about technology usage. Related to that, you should be able to set a target about the metric, based on industry standards, best practices, and what’s feasible for your organization, based on your starting point and your capabilities.
In order to be useful, the metric needs to be a metric—that is, it needs to be measurable in a consistent way, allowing it to be tracked over time. Measuring the metric needs to be both simple and accurate, or else decisions will be made based on bad data.
Insight for Picking the Right Metrics
Given those guidelines, how can you gather the information you need to determine and prioritize metrics? Google and you can find many suggested metrics to choose from, such as how many attacks you’ve identified and how long it took to detect them.
But rather than picking from an arbitrary list of metrics, a systematic assessment like that created by Palo Alto Security Network’s Security Lifecycle Review (SLR) provides a clear analysis of the threats you face. With that data, you can assess how your preparedness matches up to your industry peers and place your vulnerabilities in a business context so they can be effectively prioritized.
The SLR reports tell you how your network is being used, by identifying the applications, cloud applications, and websites users are accessing, along with the sort of files they’re sharing. In addition to software, SLR identifies the devices on the network, including those IoT devices that are often connected without any oversight or control. SLR also identifies vulnerabilities, infections, and malware on your network.
The benefit of the SLR is that you see the complete picture of your IT assets and the vulnerabilities they face. It quantifies the risk, as well as provides guidance for mitigation. With the SLR, you can evaluate proposed metrics against the actual context of your IT risk, ensuring they align with true business needs.
VAST IT Services supports the full suite of products from Palo Alto Networks and helps clients use the Security Lifecycle Review to ensure their security metrics and security actions address the actual information security needs of the business. Contact us to learn more about how Security Lifecycle Review can help your business effectively measure and manage your information security risks.