top of page
Case Study Icon

Climbing ‘Metrics Mountain’

Our approach starts with a capability assessment to understand your starting position and desired goals.

We then provide a roadmap to meet your requirements. Your organisation will already be taking steps you can build on.


As you achieve a more mature position, your view of the security landscape will improve dramatically!

Capability Assessment

       Security Measurement Roadmap

       Stakeholder buy in

       Drive investment funding

Red Tick Icon
Metrics Mountain Flag.png

Starting Out

Embedding cyber metrics

-   Key metrics

-   Metric RAGs

-   Metrics dashboard

-   Operating model

Metrics Mountain Flag.png

Growing Up

Business-aware metrics & compelling dashboards

-   Enhanced metrics

-   Asset alignment

-   Metric aggregation

-   Performance culture

Metrics Mountain Flag.png


All controls have metrics with automated dashboards for every audience

-   Automated metrics collection

-   Automated dashboards

-   Asset inventory improvement

-   Incident-based metrics

Improved Asset Management

For an in-depth understanding of how we help clients at every stage of their security metrics journey, be sure to read Climbing Metrics Mountain with i-confidential.

Red Tick Icon

Security Metrics
Capability Model

Understanding metrics challenges is hard work. Addressing them is harder still. And there is often more than one right answer to contend with. 


Our approach aligns to industry best practice and offers independent support backed by extensive knowledge and experience.

Security Metrics Capability Wheel
SM Capability Model
Security Metrics Capability Wheel - Foundations


Policy – rigorous requirements ensure new metrics provide the measurement information that is needed right from the start.

Governance – a core business discipline. Without effective governance, a lack of buy-in and agreement to metrics from stakeholders will limit their success.


Roles and Responsibilities – these need to be well defined for all aspects of the metrics operating model, from metrics definition and collection, through to dashboarding. One of the most important responsibilities to define is ownership for ‘route to green’ remediation actions.

Security Metrics.png

Metrics Library

Our metrics library contains over 250 cyber measures which align to industry best practice, including ISO and NIST. Each measure has a proven, jargon-free definition that provides clarity on what it actually means.


We will work with you to align our ‘out of the box measures’ to both your controls and your organisation's language, giving you an immediate uplift in capability.


We use this library to identify gaps in your current control metrics, as well as help you improve the definition and clarity of any existing metrics.

Security Metrics Library Icon
Anatomy of a Security Metric

Building Good Security Metrics

Covering all dimensions of a control that contribute to ineffectiveness and risk.

Example Metrics

Penetration Testing Control

4. Event Root Cause – security events attributable to a control weakness. *Requires advanced maturity.

3. Remediation – the performance of activity to fix security issues.

2. Results – indicates the output of the control in terms of security issues.

1. Coverage – the percentage of assets a control is being applied to.

% of applications penetration tested in the last year.

% of applications with open, high-risk, penetration test results.

% of open, high-risk, penetration test results outside remediation.

Metric Dimensions
Security Metrics.png

Build Metrics Views To Support

Key Business Decisions

i-confidential Security Metrics Offering Logo
bottom of page