INTRODUCTION

For a DevSecOps transformation to succeed, it is critical to measure it. To truly have a culture of continual learning, you must measure the progress. The very act of defining these measures can help ensure that you have properly articulated the direction you want to take. Tracking progress against these measures helps ensure that you are moving in the right direction and delivering the intended results.

At this point in the maturing DevSecOps movement, there is a huge variety of metrics. It is possible to look at metrics from different organizational levels, for many different purposes, and for different timescales. The metrics that the security operations team lead needs to manage their team on a daily basis will necessarily be different from the metrics that the board should review to make investment decisions on an annual basis. While there may be some overlap between audiences, you must consider the audience and the results you are trying to achieve by measuring and reporting. Ultimately, it is important that your metrics drive action for which they are designed. If the selected metrics do not provide value and drive action, they should be abandoned. Periodic review of the metrics should be performed to make sure that the evolving organizational needs are properly addressed.

Although there are a broad range of metrics that may be useful for your security program, this book focuses on metrics that are specific to DevSecOps and the ...