Read part 1 of this series here.
Metrics play a crucial role in understanding the performance of Security Operations Center (SOC) functions. They serve as a kind of “score,” highlighting areas for improvement while showcasing existing strengths. But the most effective metrics are not created in isolation; they require input and buy-in from various organizational stakeholders.
In this second installment of my Infinite Quest series on building and leading sustainable security operations, I will share a consensus-driven approach to developing SOC metrics that has proven successful over my two decades of experience leading security teams. This collaborative method ensures the metrics align with broader business objectives while addressing specific security concerns.
The Boss Battle: Slay the Metric Misalignment Monster
Security teams often develop metrics without sufficient input from other departments, resulting in measurements that may be technically sound but fail to resonate with leadership or support business goals—a solo quest that doesn’t advance the main storyline, if you will. Even when security teams engage with leadership, executives may struggle to articulate their security concerns in ways that are specific and measurable.
The key challenge lies in developing security metrics that are:
- Relevant to various stakeholders
- Specific enough to guide action
- Measurable in consistent ways
- Aligned with business objectives
A Framework for Building Consensus
Level 1: Gather Intel from Key Allies
Instead of asking stakeholders directly about security concerns—something they may not naturally consider part of their role—focus discussions on broader business priorities:
- What does success look like for your department?
- How would optimal security performance benefit your operations?
- What types of disruptions would significantly impact your ability to achieve objectives?
This approach reveals where security intersects with stakeholders' priorities, providing a foundation for developing metrics that matter across the organization.
Level 2: Forge Shared Narratives
After gathering feedback, look for patterns and translate them into clear narratives. These narratives bridge the gap between technical security concerns and stakeholder priorities.
For example, senior leadership might not explicitly ask about threat detection, but they may be concerned about how the organization is performing comapred to industry peers. The next step is to translate this general concern into specific measures, which we can do by asking clarifying questions.
Level 3: Craft Metrics from the Lore
- Have there been recent high-profile attacks on similar organizations?
- Are those attack vectors relevant to our environment?
- Why were we (or weren't we) impacted by similar tactics?
This process transforms qualitative concerns into actionable metrics, such as:
Of the five major attacks targeting our industry this quarter, we proactively mitigated three through existing controls and effectively responded to two with minimal impact.
Party Perks: Power-Ups from the Consensus Approach
This stakeholder-driven methodology offers several advantages:
- Relevance: Metrics address what truly matters to different parts of the business.
- Engagement: Stakeholders are more likely to pay attention to metrics they helped shape.
- Alignment: Security priorities become naturally aligned with business objectives.
- Communication: Technical security concepts are translated into business-friendly language.
- Adaptability: The approach scales across various organizational structures.
Quest Log: Tips to Equip Your Team for Implementation
Existing libraries and frameworks are great cheat codes for developing new metrics. One of my favorites is the SOC-CMM Metrics Suite, which contains a robust library aligned to the SOC-CMM domains. You can download it for free from the CMM website.
Measuring the effectiveness of your SOC is as much an infinite quest as conducting security operations. Stay aligned to business considerations and keep leveling up by:
- Including stakeholders from across all organizational levels, not just executives
- Documenting each metric with a unique title, type, data source(s), target threshold, audience, and narrative(s)
- Revisiting metrics periodically to reflect evolving business priorities
- Raising the bar on SOC metrics that are easily met (switch to hard mode!)
- Presenting metrics in a format and language appropriate to the audience
By developing metrics through collaborative consensus, security teams can shift from measuring activity to measuring impact—demonstrating how security both enables and protects what matters most to the organization.
