Amid the constant and evolving pressure of modern security, teams face an unexpected adversary — their own performance metrics. That’s according to new research from IDC's Voice of Security 2025 white paper, sponsored by Tines and AWS, which shows that many organizations use metrics that are fundamentally disconnected from security team effectiveness.
The survey of over 900 security leaders across the US, Europe, and Australia revealed a troubling trend:
- 34.9% of teams are measured by "number of incidents handled" — this was the most common metric among those surveyed
- 23.4% are measured by "number of alerts"
These metrics are not just inadequate; they can be an unwelcome distraction for security teams looking to measure and improve their performance. It’s akin to judging a firefighter's performance by the number of fires in their town — a factor largely outside their control.
The research underscores the critical need for security leaders to align with business leadership on metrics that truly reflect security effectiveness by measuring their contribution to organizational resilience, business growth, and profitability.
Confusing activity with effectiveness
For security practitioners, it's clear that metrics like "number of incidents handled" and "number of alerts" offer little insight into a team's effectiveness. While useful for understanding the threat landscape, these metrics shouldn't be a yardstick for a security team's performance. After all, how can a team establish what "good" looks like? Is there an "ideal" number of incidents a team should be handling? It's easy to see how such numbers can get already-oversubscribed practitioners tied up in knots.
More concerning is how flawed performance metrics can inadvertently undermine team morale and effectiveness. IDC's research reveals a strong connection between misaligned metrics and job satisfaction: among security leaders reporting low job satisfaction, the top contributing factor was a "lack of respect and support from other leaders at the organizations."
The solution? Focus on metrics that paint a picture of resilience
Encouragingly, the research also showed that more meaningful metrics being used to track security team performance:
- Mean time to respond (32.2%)
- Time to detect (31.5%)
- Time to containment (28.4%)
- Reduction of false positives (22.4%)
- Time to eradication (23.4%)
These metrics offer a more nuanced view of a security team's effectiveness, focusing on speed, accuracy, and impact rather than incident or alert volume. They provide insights into how quickly teams can identify, contain, and resolve threats — factors that directly contribute to an organization's resilience.
By prioritizing these types of metrics, organizations can better understand their cybersecurity effectiveness and make more informed decisions about resource allocation and strategy.
And aligning these metrics with broader business goals can help bridge the gap between security teams and organizational leadership, fostering greater support and recognition for security initiatives.
Key recommendations for aligning security metrics with business goals
To bridge the gap between security efforts and business outcomes, security leaders can:
- Advocate for resilience-focused metrics. Shift from traditional volume-based metrics to those that emphasize long-term impact.
- Align with business objectives. Explicitly tie security performance to core business goals such as risk reduction, organizational resilience, operational efficiency or “uptime”, customer trust, regulatory compliance, and profitability (by avoiding the high costs associated with security incidents).
- Prioritize ROI in reporting. Develop a security performance dashboard that includes a “security ROI” metric, offering an easy reference point for C-suite discussions.
- Foster cross-organizational alignment. Partner with stakeholders across the business to ensure buy-in on these new metrics and demonstrate security's direct contribution to business success.
Effective security metrics vary by team and organization — what works for one may not suit another. But every security team can benefit from deprioritizing ineffective metrics that waste valuable time and resources, and threaten to add to an already-heaving workload.
By focusing on outcomes that truly strengthen organizational resilience, security leaders can better demonstrate their value and gain crucial support from the broader business.
For more insights on how security leaders are tackling their top challenges in 2025, read IDC's white paper.
