As described in the Network Security Operations (NSO) Quant report, for each process we determined a set of metrics to quantify the cost of performing the activity. We designed the metrics to be as intuitive as possible while still capturing the necessary level of detail. The model collects an inclusive set of potential network security operations metrics, and as with each specific process we strongly encourage you to use what makes sense for your own environment.

So where do you get started? First download the spreadsheet model (zipped .xlsx).

We recommend most organizations start at the process level. That involves matching each process in use within your organization against the processes described in this research, before delving into individual metrics. This serves two purposes:

  • First, it helps document your existing process or lack thereof. All the metrics in the model correlate with steps in the NSO Quant processes, so you’ll need this to begin quantifying your costs.
  • Second, you may find that this identifies clear deficiencies in your current process – even before evaluating any metrics. This provides an opportunity for a quick win early in the process to build momentum.

Applicable metrics for each specific process and subprocess are built into the spreadsheet, which can be built up to quantify your entire Network Security Operations program. Thus you make detailed measurements for all the individual processes and then combine them, subtracting out overlapping efforts. Most of the metrics in this model are in terms of staff hours or ongoing full-time equivalents; others are hard costs (e.g., licensing fees, test equipment, etc.).