Chat with your cloud in Turbot Pipes →
HomeHomeHow We Prevent: The Five Practices5. Measure

5. Measure

Without measurement, prevention remains an article of faith. Measurement quantifies prevention effectiveness, answering critical questions: Is prevention reducing risk? How much alert volume has been eliminated? What's the ROI of prevention investments? Where should we expand coverage next?

With measurement, prevention becomes demonstrable and improvable. Security teams prove risk reduction through metrics. Executives see ROI justifying continued investment. Organizations optimize prevention strategies based on what works.

Start here: Establish baselines and instrument controls

  1. Capture baseline metrics Before prevention expansion, document the starting point: total findings from detection tools, finding breakdown by severity and type, time-to-remediate for different findings, hours spent on triage and remediation, current prevention coverage by layer. Baselines provide the "before" picture for demonstrating prevention ROI.

  2. Instrument preventive controls Each deployed control should generate telemetry. Access layer logs blocked API calls with user, action, and timestamp. Config layer tracks resources created with secure defaults. Build layer tracks issues flagged during scanning. Runtime layer logs misconfigurations detected and remediation actions taken.

  3. Calculate coverage metrics Track prevention expansion over time: percentage of accounts with organization policies, percentage of repositories with IaC scanning, percentage of accounts with secure defaults, percentage of accounts with runtime auto-remediation. Coverage expansion demonstrates systematic prevention growth across quarters.

Then strengthen: Quantify impact

  1. Track prevention effectiveness Count risky actions prevented by organization policies. Compare detection findings before and after prevention deployment. Calculate percentage reduction in specific finding types. Track what percentage of issues each layer catches (Build: 60%, Access: 25%, Config: 10%, Runtime: 5%). Effectiveness metrics prove prevention works.

  2. Calculate efficiency gains Quantify hours previously spent on remediation that prevention eliminated. Calculate cost difference between prevention and remediation using industry benchmarks (build-time fixes cost 10-100x less than production remediation). Measure deployment velocity with prevention guardrails versus previous approval-gate models.

  3. Create audience-specific dashboards Package metrics for different stakeholders. Executive dashboards show total risk reduced, cost savings, and coverage expansion with trend lines. Security team dashboards show coverage by layer, blocked actions by type, exception volume, and remaining gaps. Engineering team dashboards show issues caught before production and time saved.

Ongoing improvement: Optimize through data

  1. Use metrics to guide strategy Analyze effectiveness metrics to identify highest-value opportunities. If build layer catches 40% of issues but only covers 50% of repositories, expanding build coverage delivers highest ROI. If runtime layer catches many issues that should have been prevented earlier, strengthen build and access layers for those finding types.

  2. Demonstrate value to stakeholders Use measurement to prove prevention ROI to executives: finding volume decreased 65%, security team capacity freed 35%, cost avoidance of $240K plus incidents prevented. To auditors: preventive controls enforce 85% of audit requirements automatically with continuous evidence. To engineering teams: time-to-production decreased from 2 weeks to 2 days with prevention guardrails replacing approval gates.

  3. Connect measurement back to discovery Measurement closes the loop on each prevention iteration. It validates that deployed controls deliver expected impact, identifies opportunities for optimization, demonstrates value to stakeholders, and informs the next Discovery cycle. Use metrics showing where gaps remain, which controls deliver highest impact, and what approaches work best to guide the next iteration.

Measurement tracks prevention across three dimensions: Coverage metrics show how much prevention exists (percentage of accounts protected, controls deployed). Effectiveness metrics show prevention impact (actions blocked, findings eliminated). Efficiency metrics show resource optimization (capacity freed, costs avoided, speed improved). Together, these metrics quantify prevention posture, demonstrate value, and guide iterative improvement.

The five practices work iteratively: Discover current posture, Analyze opportunities, Simulate new controls, Deploy safely, and Measure effectiveness. Organizations cycle through these practices repeatedly, expanding prevention coverage systematically. Each iteration builds on previous work. Prevention capabilities compound over time. Measurement makes this iteration data-driven rather than relying on guesswork.