https://www.techtarget.com/searchsecurity/tip/7-key-cybersecurity-metrics-for-the-board-and-how-to-present-them
Metrics are the lifeblood of any organization. Without metrics or KPIs, enterprise managers can be blind to critical variables that determine success and help them hit financial and production targets.
For cybersecurity practitioners, metrics are critical to monitoring and managing digital risks and demonstrating to executives, board members and other stakeholders how well the organization defends itself from threats. They are essential snapshots of an organization's overall security health.
Cybersecurity metrics and KPIs are necessary for measuring the strength of an organization's security program and revealing patterns that either reinforce existing practices or point to areas that need improvement.
"Without metrics, you don't know if you're doing the right things or improving or sharpening your tools," said David Lindner, CISO of Contrast Security, which makes application security software. "If I see trends of certain metrics going the wrong direction, I will reinvest resources to try to resolve those things, fix them and make them go the other direction."
Metrics can also help an organization improve its security program over time. "Metrics are becoming more and more foundational guidelines that you look at daily, weekly and monthly to track how you're doing, show your improvement and get buy-in for your security program," said Steve Cobb, CISO of SecurityScorecard, a maker of supply chain detection and response software.
Security metrics can also help explain the value of an organization's cybersecurity program to decision-makers and stakeholders, including the C-suite and board. "There is value in using those metrics to show ROI or value to leadership so that you can continue to invest in your cybersecurity programs and develop your resources internally to take your cybersecurity practice to a better state," Cobb said.
Finally, metrics can help organizations build threat actor profiles for cyberdefenders, enabling them to develop the most effective strategies for countering threats.
Security professionals can choose from an endless array of metrics and KPIs, which is why Bob Maley, CSO of Black Kite, which makes a cyber-risk intelligence platform, recommends starting with objectives and key results or comparable goal frameworks in their cybersecurity planning and then working backward to identify the metrics to track to achieve those objectives.
"It's important to measure things that directly affect the company's overall objectives, rather than collecting metrics for the sake of it," he said.
Experts generally point to 10 foundational cybersecurity metrics that security leaders find the most useful for achieving their security goals. These metrics are the following:
Although tracking metrics and putting them to good use can sometimes seem daunting, experts offer a few tips to make the process easier. "Security leaders should consider what story they want to tell, what data is available and whether the metrics are easily measurable," said Black Kite's Maley.
SecurityScorecard's Cobb underscored the importance of using metrics to tell a story. "If you look back over security events that happen many times, you can see breadcrumbs that were left far in advance of the actual event taking place, like an increased number of phishing attacks or other things that you may track from a metric perspective in your cybersecurity program," Cobb said. "Those can tell a story and give you an understanding of what's to come."
Finally, measuring and reporting security metrics can be challenging but can also be made easier by "correlating different metrics, such as click-through rates and phishing attacks, to get a comprehensive picture of the security situation," Maley said.
Even as metrics offer essential guidance for cybersecurity leaders in developing their own plans, they can also be valuable tools for keeping management and board-level decision-makers plugged in to the organization's cybersecurity program.
However, experts say it is not always easy to translate these key measures in ways that executives who are not steeped in cybersecurity can understand. "It's not easy to talk to boards at all, especially in the language most cybersecurity practitioners and leaders use," Cobb said.
"There's a language barrier between the practitioners and what the board sees in ROI and how they translate that," he added. "One of the biggest challenges I see for CISOs and security practitioners today is mastering that translation."
"Most boards that don't have insight into the day to day of a security organization are probably going to be more interested in the badness, the nuance of what's changed and why, and what are we doing about it," Lindner said. As soon as something bad happens, "that's when they get a little bit more invested," he added. "Frankly, it makes my job easier to explain why we need something."
Above all else, security professionals should steer board-level conversations to the bottom line. "When communicating with the C-suite or board, focus on how security metrics connect to the company's bottom line and operational value," Maley said. "Present a narrative that demonstrates trends in security threats and their potential impact on the business, rather than just providing technical metrics."
Cynthia Brumfield is a writer, analyst, publisher and instructor specializing in cybersecurity. She is the author of the Wiley book, Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework.
26 Jun 2025