Proving that security is improving is just as important as the improvements themselves. However, it’s not always practical or necessary for many MSPs and IT teams to invest in a full-scale Security Information and Event Management (SIEM) platform to do so. Keep reading to learn some practical methods for IT security risk analysis tracking to ensure client visibility into security improvements without the overhead of SIEM tools.
How to measure security improvement without using SIEM tools
Measuring security progress is crucial, but it doesn’t always have to be a heavy expense, especially for small- to mid-sized MSPs and IT teams. While SIEM tools are the go-to solution for centralizing logs, monitoring threats, and generating compliance reports, they usually come with high costs and steep learning curves. Instead, MSPs can use lighter, repeatable methods to assess cybersecurity metrics over time.
📌 Prerequisites:
- Administrative permissions to collect data from endpoints, run scripts, export group policies, and review ticketing systems
- Basic scripting tools (for example, PowerShell)
- Vulnerability and security assessment utilities (such as Microsoft Secure Score, Nessus Essentials, and Microsoft Defender Security Center)
- Reporting and visualization platform (like Excel, Power BI, Google Data Studio, or Azure Workbooks)
- Ticketing and documentation system (for example, NinjaOne, ConnectWise)
- Up-to-date records of devices, users, and applied policies
Step 1: Establish a baseline security assessment
Assessing your baseline security should be your starting point. In addition to uncovering immediate security gaps, it can help you understand the current state of your organization’s security posture and give you something to measure future progress against.
When building your baseline, focus on the following core elements:
- Patch and update status: Document which systems are missing critical patches or updates, as out-of-date endpoints can be easy entry points for attackers.
- Active security controls: Record the current state of essential protections such as antivirus, endpoint detection and response (EDR), firewalls, disk encryption (like BitLocker), and multi-factor authentication (MFA).
- Password and policy enforcement: Capture Group Policy Object (GPO) settings or equivalent (such as password length, complexity, expiration, account lockout thresholds).
- Vulnerability scan results: Run scans with tools like Microsoft Secure Score, Nessus, or Defender ATP. Record the scores and identified vulnerabilities.
- User and device inventory: Confirm which devices and accounts exist, whether they are active, and whether any stale accounts or unauthorized devices pose risks.
This baseline assessment should be a standardized task done with consistent tools and scheduled at regular intervals (quarterly or monthly). Clear deliverables, such as initial security scores and identified high-priority issues, should be included to make the results meaningful for clients.
Step 2: Track configuration and policy drift over time
Even with strong policies in place, configuration drift can happen where small changes over weeks or months weaken protections without anyone noticing. It’s essential to track and document these shifts to prove that controls are always effective and to justify deliberate changes to clients.
You can use scripting or built-in reporting tools to export and compare configurations regularly. Consider the following tasks:
- Export Group Policy Object (GPO) reports quarterly using this PowerShell command:
Get-GPOReport -Name "Default Domain Policy" -ReportType XML -Path ".\GPO-Q1.xml"
💡 Note: Replace “Default Domain Policy” with the name of any GPO.
This command generates a detailed XML file of a specific GPO (in this example, the Default Domain Policy) in a versioned folder structure. It will essentially give you a complete snapshot of the policy’s configuration at that point in time.
- Compare settings (for example, password complexity, account lockout policies) between quarters, using any of the following methods:
- Manual comparison using a diff tool to highlight changes
- Automated PowerShell scripts or third-party tools to flag differences between snapshots
- Visual summaries of key changes in a simple table or chart
- Record what was altered, why, and what risk or compliance requirement the change addressed.
- Include this IT security documentation in client-facing reports.
Step 3: Measure and trend incident metrics
You must also track and analyze incidents to review how well your set defenses and response processes are working. These trends can show a vital picture of continuous improvement and operational maturity.
Always focus on metrics that balance technical depth with client clarity, such as:
- Number of security-related tickets: The overall incident volume, segmented by type (for example, phishing, malware, credential resets)
- Time to Detect (TTD) and Time to Resolve (TTR): Average time from alert to acknowledgement and from acknowledgement to resolution
- User-reported incidents: Tracking phishing emails, suspicious activity, or policy violations reported by staff
- Endpoint remediation actions: Device reimages, malware cleanups, or enforced credential resets
- Recurring vs. first-time incidents: To show whether issues are being resolved permanently
It’s also good to highlight improvements and track efficiency gains even when raw numbers point to some risks. For example, a higher number of user-reported phishing attempts may be positive, since it shows endpoint security training is working.
Step 4: Leverage lightweight risk or maturity models
Instead of simply looking at numbers, show how your organization has advanced in overall maturity or reduced risk exposure. Lightweight risk and maturity models can offer simple yet structured frameworks that translate technical changes into strategic content. This should help clients understand where they stand and where they are headed.
Here are some approaches to consider:
- CIS Controls maturity scoring
- Rate implementation of each control on a scale (for example, 0 = not implemented, 1 = partially implemented, 2 = fully implemented).
- Track quarterly improvement scores for controls such as patching, asset inventory, or access management.
- Custom internal models
- Define simple stages such as:
- Level 1: Basic controls (antivirus enabled, OS patched, firewall active)
- Level 2: Enforced controls (strong passwords, encryption, MFA in place)
- Level 3: Optimized controls (regular audits, proactive monitoring, automated remediation)
- Assign clients to a level at baseline, then document movement upward over time.
- Define simple stages such as:
- Risk scoring models
- Assign risk points for vulnerabilities, missing patches, or disabled protections.
- Track the total risk score reduction as issues are remediated.
- Example: “Risk score decreased from 75 to 42 after patching critical vulnerabilities.”
Choose a model that fits your environment and client base, but don’t overcomplicate it. Always apply the same criteria in each assessment cycle, then record baseline scores to show changes over time. For reporting, translate technical jargon into plain language.
Step 5: Visualize with dashboards or simple charts
Finally, you want to build client confidence by letting them view progress represented clearly and visually. Utilize dashboards and simple charts to turn raw data into an understandable story. These visuals should help transform technical metrics into meaningful insights for clients.
You can use various tools and methods, such as the following:
- Excel or Google Sheets: Create line graphs or bar charts for quarterly comparisons.
- Power BI or Google Data Studio: Build interactive dashboards for recurring client reviews.
- Azure Workbooks: Ideal for those already leveraging Microsoft 365 environments.
Instead of focusing on the technicalities, emphasize trends and outcomes, such as:
- Security posture over time
- Policy enforcement rates
- Incident trends
- Before vs. after views
NinjaOne integration ideas
Even without SIEM platforms, NinjaOne can help track and report security improvements with its various features and capabilities.
| Area | How NinjaOne helps | Example use case |
| Configuration and policy snapshots | Run scheduled PowerShell scripts to collect device and policy status data. | Quarterly GPO exports or encryption checks are automatically stored for comparison. |
| Remediation tracking | Tag devices with remediation status (such as SEC-AV-Enabled, SEC-Hardened). | Quickly filter devices by compliance level when preparing reports. |
| Asset reports | Generate reports on encryption, firewall, AV, and EDR status. | Show clients a snapshot of how many endpoints are fully protected. |
| Incident metrics | Track and categorize tickets tied to security incident categories. | Demonstrate reductions in resolution times or recurring issues over time. |
| Policy and risk documentation | Attach quarterly policy snapshots or Secure Score summaries to asset documentation. | Provide clients with clear “before vs. after” evidence during reviews. |
| Alerting and gaps | Set alerts for missing controls (like BitLocker disabled, AV inactive). | Proactively notify technicians (and later report to clients) when a device drifts from compliance. |
Proving progress without SIEM
A SIEM platform is not always necessary to prove that security is improving. MSPs can use lightweight tactics, from baseline assessments to simple visualizations, to provide clients with evidence of security progress. Just make sure to focus on the bigger picture rather than the minor details to clearly demonstrate long-term maturity, reduced risk, and the tangible value of your security services.
Related topics:
