Security Performance Metrics Fall Short

Uploaded on 2025-05-20 in FREE TO VIEW

promotion

For Voice of Security 2025, sponsored by Tines and AWS, IDC surveyed 900+ security leaders.

In the face of mounting pressures, a new challenge has emerged for security teams - the metrics used to measure their performance often fall short. That’s one of the key findings from IDC's Voice of Security 2025 white paper, sponsored by Tines and AWS, which shows that many organizations use metrics that fail to accurately reflect security team effectiveness.

The survey of 915 security leaders across the US, Europe, and Australia revealed a concerning trend:

  • 35% of security teams are measured by "number of incidents handled" - worryingly, this was the most common metric used
  • 23% are measured by "number of alerts"

These metrics are not just inaccurate, they can threaten to distract and derail security teams looking to measure and improve their performance. It’s akin to judging a doctor’s performance by the number of patients that seek treatment - a factor largely outside their control.

The research highlights an increasing need for security leaders to align with leadership on metrics that accurately reflect security effectiveness by measuring their contribution to organizational resilience and business growth.

The problem: conflating activity with effectiveness

It's clear that metrics like "number of incidents handled" and "number of alerts" offer minimal insights into a security team's effectiveness. While they may be useful for understanding the threat landscape, they shouldn't be used to measure performance. Consider how challenging it would be for a team to establish what "good" looks like - is there an "ideal" number of incidents or alerts to handle? Such metrics can be a burden for already-oversubscribed practitioners.

Worse still, flawed performance metrics can inadvertently undermine team morale and maybe even effectiveness. The IDC research also reveals a strong connection between misaligned metrics and job satisfaction: among security leaders reporting low job satisfaction, the top contributing factor was a "lack of respect and support from other leaders at the organizations."

The solution: selecting metrics that link to resilience

Encouragingly, the research also showed that more meaningful metrics are also being used to track performance:

  • Mean time to respond (32%)
  • Time to detect (32%)
  • Time to containment (28%)
  • Reduction of false positives (22%)
  • Time to eradication (23%)

These metrics offer a more nuanced view of a team's effectiveness, focusing on speed, accuracy, and impact rather than incident or alert volume. They provide insights into how quickly teams can identify, contain, and resolve threats – all factors that directly contribute to an organization's resilience.

By prioritizing these types of metrics, organizations can better understand their effectiveness and make better-informed decisions about resource allocation and strategy. And aligning these metrics with broader business goals can help bridge the gap between security teams and organizational leadership, fostering greater support and recognition for security initiatives.

Four ways to align security metrics with business goals

To bridge the gap between security work and business outcomes, security leaders can:

1.    Prioritize resilience-focused metrics. Collaborate with leadership and security team members to transition from traditional volume-based metrics to those that demonstrate long-term impact and effectiveness.

2.    Align with key business objectives. Directly link security performance to critical business goals such as risk reduction, operational resilience, system uptime, customer trust, regulatory compliance, and profitability (through prevention of costly security incidents).

3.    Quantify security's ROI. Develop a security performance dashboard featuring a "security ROI" metric, providing a clear, data-driven reference point for C-suite discussions.

4.    Promote cross-organizational alignment. Engage with stakeholders across all levels of the organization to gain buy-in for your new metrics framework, clearly demonstrating security's direct contribution to overall business success.

While the most impactful performance metrics will vary by team, every security organization can benefit from rethinking metrics that waste resources or fail to demonstrate true value. By focusing on measures that reflect contributions to organizational resilience, security leaders can better showcase their value and gain crucial support from other business units.

For more insights on how security leaders are tackling their top challenges in 2025, read IDC's white paper.

 

 

 

 

 

« Dior’s Client Data Has Been Breached
Police Investigate Fake Council Tax Fraud »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

44CON

44CON

44CON is an Information Security Conference & Training event taking place in London. Designed to provide something for the business and technical Information Security professional.

CSIRT.CZ

CSIRT.CZ

CSIRT.CZ is the National Computer Security Incident Response Team of the Czech Republic.

Onapsis

Onapsis

Onapsis is a pioneer in cybersecurity and compliance solutions for cloud and on-premise ERP and business-critical applications.

DQM GRC

DQM GRC

DQM GRC are one of the UK's leading providers of data governance, e-privacy and GDPR services, to commercial organisations across all industries in the UK.

Y-PARC

Y-PARC

Y-PARC is a center of excellence for cybersecurity, precision industries and medtech, fostering innovation and development and support for startups.

OffSec

OffSec

OffSec have defined the standard of excellence in penetration testing training. Elite security instructors teach our intense training scenarios and exceptional course material.

Mphasis

Mphasis

Mphasis is a leading applied technology services company applying next-generation technology to help enterprises transform businesses globally.

Cisco Networking Academy

Cisco Networking Academy

Cisco Networking Academy is the world's largest classroom, bringing technology education, 21st-century skills, and improved jobs prospects since 1997.

Bytes Technology Group

Bytes Technology Group

Bytes is a leading provider of world-class IT solutions. Our growing portfolio of services includes cloud, security, licensing, SAM, storage, virtualisation and managed services.

CodeHunter

CodeHunter

CodeHunter is a malware hunting SaaS platform designed to detect all variations of malware, known and unknown, without the need for source code or signatures.

Atlantic Data Security

Atlantic Data Security

Atlantic Data Security is skilled in the analysis, recommendation, deployment, and management of all critical components of the security infrastructure.

National Cybersecurity Agency (ACN) - Italy

National Cybersecurity Agency (ACN) - Italy

The ACN is the National Authority for Cybersecurity in Italy. the Agency promotes public-private initiatives to strengthen the national cybersecurity and resilience posture.

ShieldIO

ShieldIO

ShieldIO Real-Time Homomorphic Encryption™ enables your organization to reach regulatory compliance without compromising data availability.

Heyhack

Heyhack

Heyhack is a SOC 2 Type II certified automated penetration testing platform for web apps and APIs.

Bureau

Bureau

Bureau is a no-code, identity decisioning platform that offers businesses the complete range of risk, compliance and ongoing fraud monitoring solutions innovated with AI.

NVT Phybridge

NVT Phybridge

NVT Phybridge is a global leader in Power over Ethernet (PoE) switches and extender solutions.