There are a variety of benefits to the implementation of performance metrics. First, having quantifiable metrics provides the ability to view the impact of security processes and technologies over an extended period of time. In turn, this presents the opportunity to effectively communicate the state of information security to senior management. This communication can provide a more structured guidance when determining how to allocate an organization's resources and improve technologies and processes to achieve a security team's mission.
Unfortunately, selecting the correct metrics to calculate can be difficult. By correctly identifying which metrics are useful, an information security team can utilized the outputs to complete their mission with near maximized efficiency. The type of metrics that will be gathered will vary between organizations, but three categories of metrics can help identify the most crucial metrics to measure.
Implementation metrics calculate the progress of implementing a new process or technology to an environment. These metrics are measured for an indefinite amount of time and should help reach the maximum potential of each new process or technology. Once an implementation metric goal has been reached, it is converted into an efficiency metric in order to be maintained.
Efficiency metrics calculate the effectiveness of processes and technologies in an environment. There is commonly a goal to be attained with these metrics, meaning that they will commonly be displayed as a percentage of the goal. Measuring efficiency metrics can assist in maintaining the optimal potential of processes and technologies and understanding performance levels over time.
Impact metrics calculate the impact that processes and technologies have on the business as a whole. Think of impact metrics as metrics that can be utilized during a meeting with upper-level management to demonstrate the monetary cost-savings value of processes and technologies that are being maintained by the business.
When determining the correct metrics to use, keep in mind that the metrics should be quantifiable and underlie the concept of success for the information security team. This can be done using the S.M.A.R.T. test. Cornell defines S.M.A.R.T. metrics as:
- S - Specific/Significant
- M - Measurable/Managable/Meaningful
- A - Achievable/Attainable/Appropraite
- R - Relevant/Realistic/Results-Oriented
- T - Timely/Tangible/Tractable
Performance measurement is an important cornerstone to encourage performance improvement, effectiveness, and efficiency. Through the use of performance metrics, a company can ensure that it is maximizing it's potential in each process and technology in their environment and reach goals for the information security team more efficiently.
