Cybersecurity governance: A path to cyber maturity Cybersecurity skills gap: Why it exists and how to address it

12 key cybersecurity metrics and KPIs for businesses to track

IT security managers need to monitor cybersecurity efforts and make sure they're effective. These 12 metrics and KPIs will help show what's working -- and what isn't.

Cybersecurity is critical -- everyone knows that. But justifying investments in the tools and resources required to keep an IT infrastructure secure isn't as straightforward. That's why IT security managers must find effective ways to measure cybersecurity efforts -- both to monitor their progress and show that they do ultimately prevent data breaches, ransomware attacks and other security threats.

Tracking cybersecurity metrics and KPIs also helps paint a picture of the threat landscape that businesses face. And based on the metrics, a company's overall cybersecurity strategy can be changed as needed to block current threats and reduce long-term cyber-risk. Let's look at some of the top operational metrics and KPIs to track and why doing so is an essential part of the cybersecurity process.

Why it's important to track cybersecurity metrics

Understanding a business's exposure to security risks is the primary reason to track cybersecurity metrics on an ongoing basis. Doing so provides a historical view of the security events that have occurred and where they happened in IT networks and systems, as well as up-to-date information on how effectively security tools, processes and teams are functioning.

Monitoring metrics also enables security teams to better understand where threat actors are currently attempting to gain access to IT infrastructure. This knowledge helps teams prioritize where action must be taken against ongoing attacks and deploy a mix of tools and processes that can stop imminent cyberthreats before they affect an organization.

Finally, metrics and KPIs are great tools to use in setting future goals and planning how to improve security performance. For example, security managers can use daily or weekly reports containing various metrics to help their teams be more prepared for cyber attacks -- or to put extra sets of eyes on threats and vulnerable parts of the infrastructure when necessary.

With that in mind, here are 12 cybersecurity metrics that businesses should be tracking.

1. Detected intrusion attempts

At first glance, detected intrusion attempts might not seem like one of the most important IT security statistics. However, it does present a broad picture of the overall number of threats a company faces. One issue with IT security is that when threat prevention mechanisms work and few incidents occur, business leaders tend to assume the organization is no longer a target. Sharing data that proves otherwise is a good way to demonstrate that cybersecurity threats continue to exist and, in most cases, are growing all the time.

2. Number of security incidents

A key aspect of managing IT security is to monitor whether changes to tools and processes result in improvements. A large portion of the IT budget is often spent on cybersecurity, so the metrics being tracked should indicate that the money is being used wisely. Collecting data on the number and rate of security incidents over specific periods can help CISOs and other cybersecurity leaders make sure that the defenses put in place are having a positive impact on protecting an organization's digital assets.

3. Incident severity levels

Understanding the severity level of a cyber intrusion or data theft will help in prioritizing actions to ensure that business-crippling incidents don't continue. This metric can also be used over time to see whether new security tools or updated processes are lowering the number of high-severity incidents.

4. Incident response times

Speed is critically important when it comes to identifying and addressing cyberthreats. Tracking incident response times lets security managers see how effective their teams are at responding to alerts and getting to work on threats. With that information, managers can focus on lowering the response times if they aren't fast enough. In addition to monitoring responses to individual threats, mean time to respond (MTTR) is commonly calculated as an average. Mean time to detect, or MTTD, is a related average for identifying attacks and other threats.

5. Incident remediation times

Quickly responding to a cybersecurity incident is only half the story. The other half relates to the speed at which malware or another identified threat can be isolated, quarantined and completely removed from IT equipment. Some security practitioners alternatively use MTTR in this context, as mean time to remediate. If remediation times slip, it's a clear sign that changes must be made in a security program.

6. Number of false positives and negatives

The field of cybersecurity relies on various tools that automate the identification of malware or suspicious behavior and alert security teams to threats. However, these tools require fine-tuning and regular maintenance to keep them from mistakenly flagging anomalies that might look like a threat but are benign -- or missing real security incidents. Tracking false positives and negatives helps teams to determine whether tools have been properly configured and tuned.

7. Vulnerability patch response times

It's well known that one of the best ways to protect business-critical software is to patch operating systems and applications as soon as bug fixes become available from vendors. Tracking how quickly cybersecurity teams install software patches shows the effectiveness of this critical risk-avoidance practice.

8. Vulnerability assessment results

Vulnerability scanning tools run tests against IT systems and user devices to see if they're patched against known vulnerabilities and identify other potential security issues. The assessment results generated by scans include lists of new and still-open vulnerabilities, risk ratings, vulnerability pass/fail ratios and other data points. This information can be used along with the metric on patch response times to identify whether more resources should be allocated to ensure that vulnerability management efforts meet goals.

9. End-user application and data access levels

Business leaders might assume that cybersecurity threats largely come from outside the organization. However, in some companies, cybersecurity metrics on internal users show that insider threats are a far greater issue. Collecting and analyzing information on access privileges and application and data access by employees can highlight internal security issues as well as needed changes to user access controls.

10. Overall volume of data generated

While not strictly a security metric, tracking how much data is generated and sent through the corporate network can be of great value in identifying potential threats and determining how well security tools and processes will scale. Changes in traffic volumes, whether gradual or abrupt, can indicate malware intrusions or other types of cyber attacks. This metric can also help justify the need for new or upgraded security measures. It will help drive home -- and correctly so -- the notion that as network usage increases, so should the amount of money allocated to protect the network and IT systems.

11. Number of audits, assessments and penetration tests

Cybersecurity "housekeeping" involves a series of audits, assessments, penetration tests and other checks done to ensure that security processes and tools are working as expected. It's quite common, though, for IT security teams to become so overburdened with day-to-day tasks that these important procedures are delayed or forgotten. Tracking their frequency provides visibility into this aspect of cybersecurity so security managers can make sure it doesn't fall by the wayside.

12. Security benchmarks against similar organizations

Several cloud-based security analytics tools provide the ability to compare anonymized cybersecurity metrics to those of other organizations in the same industry. In a sense, this is a "metric of comparing metrics." Such benchmarking helps to identify whether the IT security team is on track or in need of a reset when compared to industry peers.

How to manage the process of tracking cybersecurity metrics

Gaining visibility into critical cybersecurity metrics and KPIs does little for an organization if security teams don't understand how to use them to meet strategic objectives. This is where effective management practices come into play. To achieve the desired cybersecurity results using relevant real-time and historical data points, adopt the following best practices:

  • Define your goals, then figure out which metrics will help identify progress. Too often, IT security leaders focus on individual metrics and KPIs as opposed to the goals they want to achieve. This leads to situations where good data is right in front of them, but nothing is accomplished because no goals have been set. Instead, create useful and actionable goals first. Once they're established, the various metrics and KPIs that best track the success or failure of those goals can be selected.
  • Create a dashboard to keep metrics and KPIs top of mind. Combining well-defined cybersecurity goals with ways to accurately measure success does little if only security managers are tracking the metrics. Instead, make sure this is a team effort. Developing a metrics and KPIs dashboard that the entire security team can use to monitor progress will help keep everyone involved and informed.
  • Be prepared to refine or change goals, metrics and KPIs. Don't think that once cybersecurity goals, metrics and KPIs are initially locked in, they can never change. Instead, assume that everything will need to be adjusted over time because business requirements and the security tools, processes and staff needed to meet them will undoubtedly change. The whole purpose of this exercise is to use relevant data to improve cybersecurity protections. Understanding that business evolution and pivots will affect what's strategically important should guide the process of creating goals and choosing appropriate metrics and KPIs to track.

Andrew Froehlich is the founder of InfraMomentum, an enterprise IT research and analyst firm, and president of West Gate Networks, an IT consulting company. He has been involved in enterprise IT for more than 20 years.

Next Steps

Free cybersecurity tools you should know about

Tips for building a cybersecurity culture at your company

Top enterprise cybersecurity challenges

How to perform a cybersecurity risk assessment

Cybersecurity budget breakdown and best practices

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing