It's no mystery that it's crucial to have objective metrics to measure the progress of our infosec and DevOps programs. While most understand the need for metrics setting realistic goals and appropriately interpreting metrics can be hard. We have to understand metrics not in terms of the individual indicators but rather the overall picture that they paint together. Therefore, KPIs should not be set based on the single metric values, but rather a comprehensive score derived from the aggregated set of metrics.