Post

Security Metrics That Help Engineering Teams

Posted Updated
By Nathan Berg
1 min read
Security Metrics That Help Engineering Teams

Good security metrics create clarity and drive action. Bad metrics create noise, blame, and workarounds. The goal is to measure outcomes that engineering teams can influence, then use those signals to improve decisions.

This post outlines a small set of metrics that are practical for product and platform teams.

Context

Problem: Security metrics often create noise instead of action. Approach: Focus on leading indicators tied to engineering workflows. Outcome: Clearer priorities and better collaboration.

Focus on leading indicators

Lagging indicators like “number of incidents” are useful for reporting, but they are hard to improve directly. Leading indicators show whether security is getting better before something breaks.

Five metrics that work

MetricWhy it mattersTarget
Critical vuln MTTRShows whether high-risk issues are addressed quickly< 14 days
CI security coverageMeasures how many repos run SAST/DAST or dependency scans90%+
Auth hardening coverageTracks MFA, SSO, or strong auth adoption100% for admin apps
Log visibility for tier-1 servicesEnsures you can investigate incidents quickly100%
Security review throughputConfirms that new features are reviewed before release90%+

Keep the list short and review it quarterly.

Define clear data sources

Each metric should have a single source of truth. Examples:

  • Vulnerability tracking system for MTTR.
  • CI pipeline logs for coverage.
  • IdP or access logs for MFA adoption.
  • SIEM ingestion for logging coverage.
  • Design review tickets for security review throughput.

If you cannot automate collection, simplify the metric.

Avoid vanity metrics

Do not measure what looks impressive but does not change behavior. Examples:

  • Total vulnerabilities found (findings without context).
  • Number of scans run (volume is not value).
  • Lines of code scanned (inflates without improving security).

Share metrics with context

Metrics should start conversations, not end them. Pair each metric with a short narrative:

  • What changed this month?
  • What blockers exist?
  • What is the next action?

This keeps the focus on improvement instead of scorekeeping.

Takeaways

Security metrics are only useful when they drive action. Choose a small set of leading indicators, tie them to real data sources, and review them with engineering teams on a regular cadence.

blog
metrics devsecops risk security
This post is licensed under CC BY 4.0 by the author.