Implementing an effective cybersecurity metrics program

Image generated with Adobe Firefly.

As cybersecurity programs mature, the ability to communicate progress, risk, and impact to a broad set of stakeholders becomes increasingly important for building trust and enabling informed decision-making. Whether engaging product teams or communicating with leadership, nothing has as much impact and influence as a good story well told – especially when it’s backed up by meaningful data.

At Adobe, we believe that data-driven storytelling is one of the most powerful tools for driving alignment and action across the business. That’s why we’ve made significant investments in building a robust cybersecurity metrics program – one that provides the insights we need to measure progress, evaluate risk, and demonstrate the value of our security initiatives across the business.

In this blog, I’ll share insights into how we’ve built our cybersecurity metrics program at Adobe and the key lessons we’ve learned along the way.

Leveraging data for security impact

Collecting and analyzing a range of security data helps enable us to identify areas by risk and opportunity. By leveraging this data, we can prioritize actions that deliver the most meaningful improvements to our security posture. Given the rapid pace of the dynamic threat landscape, targets are constantly evolving.

But beyond measuring for measurement’s sake, we want our metrics to serve a purpose – to be a workhorse that drives effective communication and informed decision-making within our teams and across the business. Data alone can’t speak for itself. At the same time, stories without data might lack credibility. It’s the interplay between the data and storytelling that makes a message compelling and effective. This data-driven approach helps enable our security organization to allocate resources more efficiently to help address potential threats.

Structuring an effective cybersecurity metrics program

So now that you know the basics, how do you structure an effective cybersecurity metrics program? Here are some key strategies that have worked for us at Adobe:

Secure leadership buy-in

Ensure leaders are willing to support data collection across the organization. Without support from senior leadership, a metrics program can struggle to gain traction or influence decision-making.

Align with industry standards

To align with industry best practices, it can be useful to benchmark your program against NIST SP 800-55 and CIS Critical Security Controls V7. The National Institute of Standards and Technology (NIST) focuses on the processes surrounding measurement, while the Center for Internet Security (CIS) provides concrete implementation metrics (e.g., a tool deployment or process adherence) for assessing security posture.

Define clear outcomes

Start with the decisions you want to enable – not the data you have. Clarify the questions you want to answer or the story you want to tell and let that guide your data collection. For example, you may want to understand how hard it is for teams to rotate their access keys to understand if there is a need to build automation. With the core question defined, you could then identify that you have ticketing data that can help paint that picture. By tracking how long it takes teams to address tickets for expired access keys, you can then deduce whether there’s a need for automation.

Tailor reporting dashboards

The key to designing effective and user-friendly dashboards is knowing who your audience is. For example, security leaders typically need a high-level view across the company, while product owners will want insights specific to their areas of ownership.

Assign clear roles and responsibilities

At Adobe, we recognize that maintaining a strong metrics program can’t happen in a silo. A robust metrics program can be more successful when collaboration is driven across clearly defined, purpose-driven roles:

Data Engineer: A data engineer is responsible for managing and processing the data for accurate collection and maintenance.
Metric Owner: Owns individual metrics, bringing subject matter expertise and guiding visualization.
Metrics Champion: Acts as a liaison across teams, connecting the data to broader operational goals and driving prioritization.

This blend of expertise allows us to foster accountability and transform raw data into strategic insights that drive meaningful security improvements.

Review metrics regularly

We hold live metrics reviews on a regular basis with executive leadership to assess performance against targets, identify trends, and celebrate wins. These sessions foster accountability, guide resource allocation, and drive continuous improvement across our security initiatives.

To provide ongoing accuracy and relevance, metric owners are accountable for the data they provide, and we apply a metrics maturity model to evaluate and improve data quality. This approach helps prioritize investment where metrics need refinement or further development.

How to make your data tell a story

Now that you’re familiar with our metrics program, let’s circle back to this question: how do you use data to tell a compelling story and drive meaningful impact within your organization?

It’s important to see data not just as a collection of numbers, but as a strategic communication asset that influences where and how we focus our efforts to reduce risk. To tell a great story, a simple formula can help:

Story = Setup + Event + Resolution A blue rectangles with white text AI-generated content may be incorrect.

In the setup, you establish the context for what the current state of the universe is by leveraging data to identify the size or scope of the problem. For example, measuring how many open tickets or vulnerabilities exist across product teams helps paint the baseline picture.

Then comes the event, also known as the ‘conflict’ or ‘happening.’ The idea is that there is some action that changes the direction of the story. For example, this could be launching a dashboard to show each team their open vulnerabilities and starting monthly review meetings with leadership of that dashboard.

Once we get to the resolution, we return to the data to help close out the story and show measurable impact. For example, teams that participated in monthly reviews reduced vulnerabilities by 20 percent, while other teams that did not conduct monthly reviews saw no change.

Putting it all together, this story provides a clear signal that continuing or expanding these meetings can drive broader improvement. If we face resistance from product teams, we can recount our story as evidence of meaningful risk reduction that has influenced positive change.

Outcome

At Adobe, our cybersecurity metrics program helps enable faster, more informed decision-making by combining data-driven management with impactful storytelling. It creates a shared operating picture across teams, making metrics an integral part of both day-to-day operations and long-term strategic planning. By weaving metrics into the fabric of our initiative planning process and fostering a culture of data awareness, we help empower our security teams to proactively identify and mitigate potential risks. This approach not only helps us strengthen our security posture but also builds a more resilient, security-conscious organization.