New research reveals flaws in security team performance metrics 

Amid the constant and evolving pressure of modern security, teams face an unexpected adversary — their own performance metrics. That’s according to new research from IDC's Voice of Security 2025 white paper, sponsored by Tines and AWS, which shows that many organizations use metrics that are fundamentally disconnected from security team effectiveness. 

The survey of over 900 security leaders across the US, Europe, and Australia revealed a troubling trend: 

These metrics are not just inadequate; they can be an unwelcome distraction for security teams looking to measure and improve their performance. It’s akin to judging a firefighter's performance by the number of fires in their town — a factor largely outside their control. 

The research underscores the critical need for security leaders to align with business leadership on metrics that truly reflect security effectiveness by measuring their contribution to organizational resilience, business growth, and profitability. 

Confusing activity with effectiveness 

For security practitioners, it's clear that metrics like "number of incidents handled" and "number of alerts" offer little insight into a team's effectiveness. While useful for understanding the threat landscape, these metrics shouldn't be a yardstick for a security team's performance. After all, how can a team establish what "good" looks like? Is there an "ideal" number of incidents a team should be handling? It's easy to see how such numbers can get already-oversubscribed practitioners tied up in knots. 

More concerning is how flawed performance metrics can inadvertently undermine team morale and effectiveness. IDC's research reveals a strong connection between misaligned metrics and job satisfaction: among security leaders reporting low job satisfaction, the top contributing factor was a "lack of respect and support from other leaders at the organizations." 

The solution? Focus on metrics that paint a picture of resilience 

Encouragingly, the research also showed that more meaningful metrics being used to track security team performance: 

These metrics offer a more nuanced view of a security team's effectiveness, focusing on speed, accuracy, and impact rather than incident or alert volume. They provide insights into how quickly teams can identify, contain, and resolve threats — factors that directly contribute to an organization's resilience. 

By prioritizing these types of metrics, organizations can better understand their cybersecurity effectiveness and make more informed decisions about resource allocation and strategy.  

And aligning these metrics with broader business goals can help bridge the gap between security teams and organizational leadership, fostering greater support and recognition for security initiatives. 

Key recommendations for aligning security metrics with business goals 

To bridge the gap between security efforts and business outcomes, security leaders can: 

Effective security metrics vary by team and organization — what works for one may not suit another. But every security team can benefit from deprioritizing ineffective metrics that waste valuable time and resources, and threaten to add to an already-heaving workload. 

By focusing on outcomes that truly strengthen organizational resilience, security leaders can better demonstrate their value and gain crucial support from the broader business. 

For more insights on how security leaders are tackling their top challenges in 2025, read IDC's white paper.