Your Metrics Need Metrics

Raw metrics are a great way to build trends at the close-tactical level but what about the strategic level? Let’s take a military “call for fire” as an example. At the strategic level fire teams may track how many fire’s it takes to “walk onto” or “bracket” the target before “firing for effect”. This is much like tracking an incident response team’s time-to-isolate and time-to-recover. These metrics are great for fine-tuning tactical responses to shorten the time to achieve results resulting in less wasted resources; however, only by building metrics of these metrics can strategic command (the enterprise leadership) start to see how tactical responses respond to changes in the operating environment. How quickly does the forward operator (incident responder) properly assimilate knowledge of and respond to new threats like an unknown combat vehicle (a newly discovered malware campaign)? This can be calculated using operator level metrics to determine how the team efficiency changed over time for a specific event type then comparing that change to the change in response efficiency to a newly discovered treat event type. If both threat events follow the same change in efficiency trend then the team may be operating as expected but if the lines deviate the team may be operating at reduced capacity or exceeding required capacity. By building metrics on metrics we can compare how efficiently the team responds to a tank (phishing email) versus responding to a mobile anti-satellite command center (supply chain firmware embedded trojan). If you don’t metric you can’t consistently efficiently mature.