What gets measured gets managed. You probably intuitively sense the truth in that statement, but are you practicing it? Specifically, are you measuring your security operations center’s (SOC) performance?

Measuring the IT security team’s performance has always been subjective. With more and more security techniques emerging in the last decade, your organization may have come up with different metrics to measure the performance of its SOC. But are you correctly measuring the SOC’s output? Most of the time, organizations measure the right parameter but in the wrong way.

Let me elaborate on this with an example. Let’s say the average number of incidents recorded over a month is 150. Out of these incidents, 50 may be actual security incidents while the rest are false positives. Calculating the average incident resolution time based on these 150 incidents will only lead to the wrong result.

In the above case, choosing the number of incidents recorded as the key performance indicator (KPI) is correct, but the way of calculating the average incident resolution time is wrong. Deciding on a budget and allocating resources based on this result would be a terrible mistake.

Let’s look at another example. Which is a better KPI: resolving three incidents per month or resolving no incidents at all?

If your security strategy is to prevent attacks, then the latter should be your KPI. Alternatively, if your security strategy focuses on detecting and resolving incidents quicker, then you must compare the number of incidents resolved over a few months.

How do you know which parameters and methods are right for your organization? How do you know if the results you obtained are accurate, allowing you to confidently make decisions based on those findings? As illustrated in the second example, the only way to accurately measure the performance of your SOC is to align your performance metrics with business context.

We at ManageEngine have decided to conduct exhaustive research on how SOCs around the globe function. We want to know what metrics enterprises of varied sizes use to gauge the performance of their SOCs; how they’ve aligned these metrics with their business goals; and how ready SOCs are to adapt to changes in the IT security landscape.

Just take this two-minute survey and help us understand how enterprises are measuring the performance of their SOCs. Once we’ve analyzed the data, we’ll release our findings to help enterprises like yours improve SOC performance.

  1. Peter

    “What gets measured gets managed”

    That is so(!) terrible wrong! The daily business is FULL of measures, where nobody is interested in. You can measure everthing – and decide to discard the results. You could claim that this is bad management, and you’re right. But that doesn’t make the the statemet less false.

    Turn it around, and it makes sense: you can only manage what you measure.

    Measuring does not lead to management, but management requires measurement.