NO Metrics Are Better Than Bad Metrics in the SOC, Says NCSC reports that many common SOC metrics are inaccurate or counterproductive, according to the National Cyber Security Centre (NCSC). The article notes that, in a blog post, the NCSC’s CTO for architecture, Dave Chismon, argues organisations gravitate to easily countable measures, which can incentivise quick triage of false positives or overproduction of detection rules.
The only metric that matters, according to NCSC, is whether a SOC can detect and respond to attacks in a timely manner, i.e., time to detect and time to respond (TTD/TTR). Chismon also recommends red/purple teaming to assess a SOC’s TTD/TTR, while warning that other metrics like ticket counts should not be publicly reported to avoid driving the wrong activities.
The piece highlights several approaches to reduce TTD/TTR, including hypothesis-led hunting, maintaining hard thresholds for false positives, and tracking threat awareness, tooling expertise, and analyst engagement within the organisation. If a SOC might be stuck with the wrong metrics, a credible red or purple team can provide proof either way.