You’ve developed a program that addresses security at the different stages of the development pipeline. You have a roadmap that plots the midterm and long-term goals of the application security team going forward. But how do you know whether the program is effective and that all that hard work that you and your team have put in has paid off? Gathering metrics is a priority for any project or program to ensure that the returns are there from the initial purpose of the project. But metrics are also used to determine whether the project is on track and will complete with the expected outcomes.
For security projects, specifically, the metrics are not much different. You still want to know whether the project is on track and will have the expected outcome. However, they are also used to determine whether the processes you have are working, whether the security posture of the organization is getting better, and whether the tools you use are effective. This can be helpful if you are looking at new tools to fill a gap or a competitor to a current tool so that you have baselines and an opportunity to compare current state with a potential new tool.