7 Business Metrics Security Pros Need to Know
These days, security has to speak the language of business. These KPIs will get you started.
December 21, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2cc7bb1b71022d94/64f0d605a0be2754b11e86de/Image_1.jpg?width=700&auto=webp&quality=80&disable=upscale)
(Image: Moritz320)
Peter Drucker, aka the founder of modern management, is credited with writing, "If you can't measure it, you can't improve it." Over time, that has been broadened to, "If you can't measure it, you can't manage it," a statement that is taken as holy writ for most modern executives.
Indeed, business in the 21st century is all about metrics. Cybersecurity has plenty, measuring everything from port probes to login attempts. It's expected that cybersecurity managers will have a good handle on all of these metrics and know what they're saying about their organizations. But in today's business organization, these security metrics aren't enough.
In order to protect the business, security has to speak the language of business. The last decade has seen a growing, if sometimes grudging, acknowledgment of this by security professionals. The question for many security pros is, "Which business metrics should I know?"
Each organization may have its own unique key performance indicators (KPIs) to take into consideration. But certain metrics matter regardless of the particular business. To cover all of them is the subject of an MBA, but we've put together a list that includes some basics, some that might escape first notice, and some that have a particular interest from a security perspective.
In each case, these are metrics that cybersecurity pros should understand and pay attention to. Do you use them in your security practice? What other metrics do you think should be on this list? Let us know in the comments.
Broadly speaking, there are three kinds of customers: those who love you so much they'll tell everyone, those who are OK with your products or services, and those who hate you so much they'll tell everyone. While sales volume tends to live in the middle category, in today's social media landscape you need to maximize those in the first group while minimizing those in the last. Your success is measured in the Net Promoter Score.
The marketing department will build the Net Promoter Score, but security needs to know the role it plays in making customers deliriously happy. Is security effective and unobtrusive? Are privacy policies rational and transparent? Are breaches dealt with effectively and disclosed quickly? All of these play a role.
Becoming a partner with marketing and sales is important to keep security relevant as a department that's good at more than simply saying "no." Understanding the importance of the Net Promoter Score, and security's role in improving it, will make those marketing-oriented conversations much more productive.
Sales leads are important. Actual customers are, oh, so much more critical. A company's success at turning the former into the latter is measured by the lead-to-client conversion rate.
In the classic sales model of inside versus outside sales teams and weekly sales reports, sales managers would be able to see the number of phone calls or on-site visits, the number of new leads, and the number of new sales conversions. Those are still important, but for consumer organizations, the question is how many visitors to the website become actual customers.
Within the overall conversion rate, it's important for security to see where potential customers abandon the process. If it's around registration or authentication steps in the ordering process, then that's a critical indicator something is wrong with the security of the site. Be sensitive to this metric, make sure that security isn't responsible for driving down the rate, and you'll keep marketing in your corner when it comes to budget and project meetings.
Sales leads are important. Actual customers are, oh, so much more critical. A company's success at turning the former into the latter is measured by the lead-to-client conversion rate.
In the classic sales model of inside versus outside sales teams and weekly sales reports, sales managers would be able to see the number of phone calls or on-site visits, the number of new leads, and the number of new sales conversions. Those are still important, but for consumer organizations, the question is how many visitors to the website become actual customers.
Within the overall conversion rate, it's important for security to see where potential customers abandon the process. If it's around registration or authentication steps in the ordering process, then that's a critical indicator something is wrong with the security of the site. Be sensitive to this metric, make sure that security isn't responsible for driving down the rate, and you'll keep marketing in your corner when it comes to budget and project meetings.
(Image: Moritz320)
Peter Drucker, aka the founder of modern management, is credited with writing, "If you can't measure it, you can't improve it." Over time, that has been broadened to, "If you can't measure it, you can't manage it," a statement that is taken as holy writ for most modern executives.
Indeed, business in the 21st century is all about metrics. Cybersecurity has plenty, measuring everything from port probes to login attempts. It's expected that cybersecurity managers will have a good handle on all of these metrics and know what they're saying about their organizations. But in today's business organization, these security metrics aren't enough.
In order to protect the business, security has to speak the language of business. The last decade has seen a growing, if sometimes grudging, acknowledgment of this by security professionals. The question for many security pros is, "Which business metrics should I know?"
Each organization may have its own unique key performance indicators (KPIs) to take into consideration. But certain metrics matter regardless of the particular business. To cover all of them is the subject of an MBA, but we've put together a list that includes some basics, some that might escape first notice, and some that have a particular interest from a security perspective.
In each case, these are metrics that cybersecurity pros should understand and pay attention to. Do you use them in your security practice? What other metrics do you think should be on this list? Let us know in the comments.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024