• i-confidential

Our Security Metrics Capability Model

By i-confidential Staff


Measuring the ‘right’ things is the key to driving improvement. But with ever more data being collected, it’s easy to take measurement as a given.

Many organisations put substantial effort into developing good security metrics, but we often see room for improvement. At i-confidential, we have developed a Security Metrics Capability Model that focuses on all aspects of measurement. This has helped our industry-leading clients achieve their goals. Its four core components can be used to help organisations at any stage of their metrics journey.

Below, we’ll provide a few insights into their importance and how they can help you.


Without strong foundations in place, organisations are unlikely to be successful:

Roles and Responsibilities – key to many organisational activities. From a cyber security perspective, there are many parties involved in a wide range of tasks, such as data collection or asset management. Clarity around who does what and their level of accountability is a vital step in any metrics journey.

Governance – a core business discipline. It includes metric definitions and risk thresholds that are managed and controlled, meaning change only happens in a conscious and agreed way.

Policy – rigorous requirements ensure new metrics provide the measurement information that is needed right from the start.


There are several environmental factors that can impact an organisation’s metric capabilities:

Assets – types range widely from software installations to hardware devices like laptops and servers. For example, organisations should have an up-to-date and accurate inventory of what connects to their network.

Inherent Risk once you have identified your assets, they need to be risk rated. Next, categorising them enables you to focus on protecting your most important assets first and make the best use of available resources.

Controls – well defined security controls form the basis of an effective security strategy. When the definition is unclear, metric collection and security improvement fails.


Control of metric capabilities is ensured through strong management:

Risk Appetite – your organisation needs a common view of objectives to understand and govern the associated risk exposure. From here, you can determine and manage metric thresholds accordingly.

Performance Culture – an organisation’s culture is pivotal in how it views control performance. Is calling out a problem area a good thing? Yes, because with the right support it can then be fixed, but the focus must quickly shift to actions. There should be a commitment to continuous improvement at all levels.

Audience – there are many stakeholders interested in security risks and control performance. Everyone needs to be on the same page regarding what is being measured and why. Fail to establish this up front and the wrong conversations will often ensue.


Here, we look at measurement itself. Just because data is more plentiful than ever doesn’t mean it’s used well. Security risks and controls need to be monitored:

Metrics – these should provide a multi-dimensional view of performance. This includes coverage, results, and remediation measures. Any operational tolerances must align to risk so that improvement actions are prioritised against the most significant security weaknesses.

Dashboards - it’s essential to report on metrics clearly and consistently. Grouping individual results at different levels enables various audiences to understand performance. For instance, you can provide a ‘top-down’ view for executives and go ‘bottom-up’ for control owners and SMEs. Stakeholders can then see an organisation’s true control and risk position.

Automation - without it, human error generates too many mistakes. To measure controls in all dimensions requires mass aggregation of results. Taking a manual approach leads to inaccurate metrics that are also costly to collect and present.


Doing all of this is challenging, but we have helped a number of industry-leading clients achieve a broad range of goals. Some organisations start at ‘square one’ and benefit from detailed guidance throughout the journey, whereas others already have a mature set of metrics in place and need help with fine-tuning and presentation. And for organisations that use ServiceNow, we have developed an approach that brings some of these key components together, making reporting streamlined, compelling, and simple to manage.

Why not find out how we can help you?