For managers and executives, however, the picture needs to be simplified to a less controversial collection of measurements. While security administrators focus on technical metrics, managers and chief security officers have to focus on how IT security interacts with business, says Kevin Lawrence, senior security associate with IT security consultancy Stach & Liu.
"Everything comes down to whether the business impact is worth the security reward," says Lawrence. "It does not makes sense to close a vulnerability if you can't then do business."
Earlier this month, industry experts weighed in on their top-5 metrics for tactical security, such as identifying dark parts of their own network and the total attack surface area. In interviews, analysts and security professionals offered a higher-level, more strategic mix of metrics to measure as well.
While some of these metrics may not directly correlate to security, getting high marks means that a company has a good level of control over its systems, network and data -- and that means security, says Andrew Jaquith, chief technology officer of security services firm Perimeter e-Security.
"Running a tighter shop, with more control, is always good for security," he says. "It means that you can react very quickly if you have to change something."
Here are five security metrics to track for businesses.
1. Keep up with the Joneses
A starting point for many companies is whether they are spending as much as the median firm in their industry. In 2012, security is expected to account for 7 percent of information-technology budgets as a whole, according to business intelligence firm Forrester Research. The number varies by industry with financial services tending to spend more, and healthcare and manufacturers spending less.
"If your industry partners are spending six percent of their IT budget on security and you are spending two percent, that's probably an issue," says Stach & Liu's Lawrence.
While the metric does not indicate how well companies are spending their security dollars, it is a good high-level measurement.
2. High-performance patching
Keeping track of how long it takes to apply a patch to all corporate systems is another critical metric, says Perimeter's Jaquith. Measuring patching latency puts the premium on speed and that's what important. A week or less is best, he says.
"Patching is not everything -- there is a lot of zero-days out there," Jaquith says. "But there is an exceptionally high correlation between exploits in the wild and vulnerabilities that could be patched."
While patching is not necessarily equivalent to security, it's an indicator of whether a company has good control over its systems. A company that patches quickly is likely far more aware of vulnerabilities and the state of its systems' security, he says.
"It's not so much whether patching solves your problem, but it is a key performance indicator of whether or not you are running a tight shop," Jaquith says.
3. All the same, more secure
For many companies, keeping systems up-to-date with a standard image allows their workers to more efficiently maintain and secure the dozens, or hundreds, of software programs on each system. Standardization can also help companies ensure that all their systems comply with any regulations that affect the business.
For that reason, tracking the proportion of standardized systems can give an indication of the effort required to secure information assets, says Stach & Liu's Lawrence.
"If you have 100 different computers in your environment and only 80 are standard, then you have a pretty big gap there that you need to close," he says.
4. Checking off the boxes quickly
Companies have to comply with an increasing number of regulations or mandates from their clients and customers. Measuring how quickly the business's workers check off the most critical boxes is a good measure of security operations as well, says Perimeter's Jaquith.
"This is good from a project planning standpoint, which helps you understand how well you can handle your security initiatives," he says.
Because most IT security teams are overwhelmed with lists of to-do items, the best metric is to only focus on only the most critical issued found during an audit -- "the ones marked in red," Jaquith says.
5. Tame the Cowboy Infrastructure
Finally, companies that have frequent emergency patching and maintenance issues -- not to mention downtime -- are generally less secure, says Jaquith. Emergency changes are typically an indicator that the infrastructure is not well managed, he says.
"If 50 percent of your changes are done as emergency changes and not in your typical maintenance windows, you have a cowboy infrastructure," he says. "And cowboys do not lead to good operations, and more importantly, they don't lead to secure outcomes."
Most organizations have scheduled downtime or maintenance windows for backing up, patching and other activities. Keeping any activity that could impact security in those windows indicates that security and IT teams are planning adequately.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.