For Security & Risk Professionals

Develop Effective Security Metrics

    Why Read This Report

    This report outlines the benchmarks for Forrester's solution for security and risk (S&R) professionals looking to build a high-performance security program and organization. We designed this report to help S&R pros develop and report the appropriate security metrics for their security organization. Security metrics are a key initiative for chief information security officers (CISOs) today, but many struggle with picking the right metrics. Some CISOs use a broad-brush approach, using operational metrics to demonstrate security. The problem with this approach is that most people don't understand what the metrics are saying, and they don't understand how these metrics make their lives easier or harder. Good metrics are easy-to-understand, incite actions, and change behavior by providing a clear idea of why the audience cares. When CISOs present metrics, they must be able to clarify "What it means" and "What's in it for me?" Use this paper as a set of guidelines to develop a well-formed security metrics strategy and to drive behavior change and improve performance.
    US $ 499
    Become A Client

    Get objective, pragmatic guidance that helps you make tough decisions and succeed in a complex world. Contact us to learn more.

    Already A Client?
    Log in to read this document.


    • CISOS Continue To Struggle To Find The Right Metrics
    • CISOs Need A Security Metrics Strategy
    • Best Demonstrated Practices In Security Metrics
    • Best Practice No. 1: Be Very Selective In Picking The Metrics
    • Best Practice No. 2: Think Beyond The Security Organization
    • Best Practice No. 3: Focus On Reporting And Presentation
    • Forrester's Security Metrics Next Practices
    • Identify Challenges: Use Forrester's Security Metrics Maturity Model
    • Supplemental Material
    • Related Research Documents