What are SecOps metrics and KPIs?
SecOps metrics are trackable bits of data that quantify various aspects of your security operations center (SOC), such as performance or efficiency. Essentially, collecting these metrics over time can tell you how effective, efficient, or successful your security operations center is at fulfilling its internally declared goals.
While a vulnerability management program might focus on static, point-in-time data—like percentage of assets with critical or high severity vulnerabilities, SecOps metrics are all about operational efficiency and time (i.e., how much time it took to detect, respond to, or neutralize a threat). KPIs, on the other hand, are measures that tell you how effective the SOC is at pursuing specific business objectives.
Many SOC teams struggle with measuring the outcome of their efforts (and explaining their value), despite the importance of those efforts for the security of the entire company. In this article, we’ll take a closer look at SecOps metrics, KPIs, and discuss how important it is to choose the right types of metrics and KPIs for your unique business needs. We’ll also share a few best practices for improving essential metrics to help you maintain efficient, successful SecOps, paving the way for ironclad security.
How do metrics and KPIs demonstrate value to stakeholders?
Both metrics and KPIs are evidence that your SOC contributes to the security of your organization by actively defending it against threats, mitigating risks, and improving its security posture. Stakeholders can review this information and see firsthand that your efforts have produced tangible, meaningful results. Those quantifiers can also serve as a great demonstration of efficiency—putting real results behind base and additional spending to reassure them that the SOC makes the most of its budget.
Another benefit? Metrics and KPIs can be a means of comparison between other organizations or a benchmark against regulatory requirements. Simply put, you can use this data to prove that money and time investments helped your teams follow the best practices, kept your business compliant, and put you in line with—or ahead of—the competition.
Types of SecOps metrics and KPIs
There are quite a few commonly adopted metrics and KPIs. To make things easier to remember, here are a few popular ones, organized into three categories: detection, analysis, and operational metrics:
Detection
Detection metrics and KPIs focus on what your SOC did or didn’t notice. If you’re not doing well in this category, it means issues or events might be somehow slipping past your SOC. The result? The rest of the gathered data might become distorted, giving you an inaccurate representation of what’s truly happening.
Mean time to detect (MTTD)
MTTD is one of the most critical detection KPIs because it tells you how much time it took your SecOps team to detect a threat. It should be as low as possible—the bigger it gets, the more time on average attackers have to act against you.
Detection coverage
This metric shows a percentage of detection mechanisms you’ve deployed and tested, measured against a commonly adopted framework (think MITRE ATT&CK). Even though it might seem a bit counterintuitive, achieving 100% detection coverage isn’t realistic. Of course, your coverage percentage should be high, but aiming for full coverage would mean tremendous efforts spent on building detection measures against threats that might never materialize. A coverage of 50–60% can be considered healthy, and you should take care to prioritize the threats that matter most for your organization’s threat model.
False positive/negative rates (FPR/FNR)
False positives and negatives represent two sides of the same coin. They both tell you that your detection was wrong. Too many false positives will overwhelm your SecOps team, who will waste time and energy trying to respond to non-existent threats, possibly missing some real ones in the process. Too many false negatives undermine the safety of your business, indicating there’s a good chance a real threat will be underestimated and allowed to pass through.
Investigation and Response
Investigation and response data describes how effective your SOC is at processing gathered information. Bad scores in these metrics indicate that there’s either too much noise to filter out accurately or your team might need reinforcements or more training to better handle alert triage.
Mean time to investigate (MTTI)
MTTI shows the average time it takes your team to investigate a possible but unconfirmed threat and decide whether it’s a real threat that should be followed up on—or just a false positive that can be disregarded.
Mean time to attend and analyze (MTTA&A)
Measuring MTTA&A tells you the average time your SOC needs to respond to a detected incident, decide on its priority, gather information about its potential impact on the business, determine its scope, and propose a way to resolve it.
Threat intelligence utilization effectiveness
This KPI tracks how useful the gathered threat intelligence is to your SOC. In other words, how effectively your team can use that information to its advantage. Lower scores don’t have to mean that most of the gathered intel is worthless. It might be very insightful but not integrated well enough into your incident response tools and systems to make use of it in the time of need.
Operational
Operational metrics and KPIs, often considered as the general quantifiers of success, focus on how well the SOC handles the information gathered during detection and investigated during analysis.
Mean time to respond (MTTR)
Also known as mean time to remediate and mean time to resolution, MTTR is one of the most important metrics to observe. Generally, it outlines how fast your team takes conclusive action. The clock starts when an incident or issue is reported or otherwise identified and stops when the case is effectively resolved. In essence, it tracks how quickly your SOC connects the dots and transforms gathered information into informed action.
Incident closure rate
Incident closure rate tells you how many incidents (out of all the open cases in a certain timeframe) achieved successful resolution.
Incident escalation rate
Incident escalation rate outlines the number of incidents your team had to escalate—or transfer to senior staff, higher-level teams, or external consultants—in order to solve them. It can be a really useful indicator because higher escalation rates mean your team might have lacked information, expertise, or authority to close cases on its own and had to close those gaps using external assistance or resources.
IR Playbook Template: AWS Ransomware Attacks
The AWS Ransomware Incident Response Playbook Template from Wiz is designed to give incident responders a practical, step-by-step guide tailored specifically for AWS environments.
Download template
How do you choose the right SecOps metrics and KPIs?
In an ideal world, the SOC should play one of the most important roles in an organization: maintaining the security of operations. That said, if the SOC’s goals aren’t aligned with the goals of that particular organization, this mission is doomed to fail. When there’s a mismatch in goals, collaboration turns into a lengthy, cumbersome battle to justify expenses, effort, and time spent.
The end result? Productivity, efficiency, value, and relevancy is lost, leading stakeholders to doubt if an investment in the SOC actually furthers the interests of the company and provides enough returns to maintain.
In short, focusing on the wrong KPIs and metrics might cause you to miss the ones important to your business and its goals, provides little to no benefit for the required efforts, loses crucial stakeholder trust, and hurts your security posture instead of improving it.
The easiest way to make sure you’re choosing the right ones is to ask the following questions:
Is it meaningful?
A meaningful metric has an important purpose. A meaningless metric just looks good. Incident closure rate is a great example of failing this check: Does a lot of closed incidents mean that the company is now more secure? Not exactly. They might have been closed due to being false positives from flawed detection, insufficient observability that provided too little data to properly assess the situation, or closed incorrectly on purpose—to bump up a number mistaken for an indicator of success.
Is it actionable?
How does this metric relate to a specific part of the SOC or the business that can be adjusted and improved? For instance, take a look at total alert volume. Is it bad? Is it good? What should you do with the fact that the SOC has received a specific number of alerts, other than just make a note? In contrast, a metric such as detection accuracy can be acted on. If there’s too many false positives or negatives, there’s space for evaluation and improvement.
Is it relevant?
Does measuring this specific metric help you achieve goals relevant to the business? A company that wants to improve its cloud compliance isn’t that interested in the exact number of deployed firewall rules because this data matters much less than failed or passed compliance control checks, for instance.
Remember: Even if a specific metric passes those checks at the moment, it’s important to revisit and re-evaluate your picks on a regular basis. Your business and its goals constantly change—and so does the threat landscape. To remain effective, the SOC must adapt as well, shifting its attention to the areas most relevant and important at the moment.
Best practices for improving your SecOps metrics
Choosing the right metrics and KPIs is just half the battle; now they need to improve. Luckily, there are actionable ways to improve in each of the three mentioned categories we discussed above:
Detection: Start by evaluating your current detection tools and methods and fine-tuning them. After all, a bunch of misleading alerts is much less useful than a single, correct one. A thorough analysis of risks both past, current, and anticipated in the future might help you improve your detection. Based on the results of your analysis, you can identify and cover blind spots by redirecting effort and resources from where they don’t matter much to where they matter the most.
Analysis: Before touching anything else, revisit detection. If there’s too much noise to deal with, improvements here won’t do any good. Once you’re sure that the information sources are accurate and your team just struggles to process it all, consider additional training for your analysts. You can also invest in gathering better threat intelligence or deploying new tools. Your team could use those to provide better informed, more certain answers faster.
Operational metrics: Because operational metrics are mostly about how quickly and efficiently you can act, difficulties can often be resolved by setting clear and actionable procedures, roles, and responsibilities. If issues stem from too much work put on the team, automation can become a perfect extension of its capabilities. Automation reduces the load by taking over repetitive, cumbersome, or time-consuming tasks—with the additional benefit of reaction and execution speed.
Wiz Defend helps SecOps teams monitor critical metrics
If there are gaps in your vision, your analysis seems off, or operations don’t work out too well, it might be a great time for a tool upgrade. Enter Wiz Defend.
Wiz Defend is a detection and response platform that provides deep visibility into metrics that truly matter. Defend combines the speed of automation with accuracy that’s based on comprehensive collection and analysis of your threat intelligence. With cloud investigation and response automation, you can quickly reduce your MTTD, root out false positives and negatives, and improve both the efficiency and the effectiveness of resolutions delivered by your SecOps teams.
Better yet? The Wiz Threat Center helps you proactively defend against emerging threats, while identity and data detection and response features keep your sensitive data and privileged identities under surveillance, flagging anomalies and malicious behavior in real time—with full code-to-cloud context.
Defend is also a perfect way to align your SecOps with your business objectives. Easier, faster, more precise, and less error-prone security operations directly translate into fulfilled goals, stakeholder satisfaction, and most importantly—robust, resilient security.
Trusted by more than 45% of Fortune 100 companies, our cutting-edge solution allows you to fortify against the dangers of the dynamic, ever-changing digital landscape. If you’re interested in learning more about Wiz Defend, click here to get a personalized demo, and see for yourself how Wiz can protect everything you build and run in the cloud.
Cloud-Native Incident Response
Learn why security operations team rely on Wiz to help them proactively detect and respond to unfolding cloud threats.
