There is no lack of metrics within the cybersecurity space. If you are a Microsoft customer, look at all the data you can find in the Microsoft Defender dashboard, for example. On the front page, there are more than 50 different metrics. It looks impressive, but what do they tell us, and more importantly, what do we do with them?

This tells us two essential things; unfortunately, neither is encouraging.

1. When working in cybersecurity, we excel at creating metrics but struggle to act on them

Let’s begin with the most obvious point: technologists are passionate about technology! Especially new technology that we can implement in our organization. All this technology comes with enough metrics to satisfy all the needs you didn’t know you had. The problem is that it’s so complex and so many numbers that you drown in them, and when you drown in them, you lose sight of the essential problems—the problems you need to act on now.

Most dashboards might have high-impact alerts or something similar, but how do they know what’s the most critical thing in your organization? Do they have the context right? Do they consider the human element? Probably not!

So, what’s the solution? I don’t think there is one single solution to this issue, but one thing is sure: we won’t solve this with more metrics from another tool. We need fewer metrics with higher impact that are actionable in our organizational context. What matters the most for a Fortune 500 company might not even be on the scope of high-impact issues for a medium-sized European company.

2. Many of us are still failing when we try to create good metrics for the broader scope of information security

When I say many of us, I include myself in that statement. When I’m challenged with meaningful metrics on information security at a high level, it’s hard to find the right ones that illustrate how technology and humans impact our overall information security posture.

I have seen metrics such as data exfiltration rates and breach frequency as measures for information security. Yes, they indicate something about security posture, but not much more than suggesting that if they are high, you have a problem. Where is the problem, or perhaps who is the problem? This can’t be answered without obtaining a few high-impact metrics within your organizational context. I have yet to see a good tool that puts the human element first and then builds around that with technical/cybersecurity metrics.

I would trade 500 meaningless cybersecurity metrics for five human-first information security metrics any day of the week!