Effective cybersecurity is no longer optional in today's digital landscape—it's a critical business necessity. Yet, many companies struggle to measure their security efforts accurately. The adage, "You can't manage what you can't measure," rings especially true in cybersecurity, where threats constantly evolve and attacks are becoming more frequent and sophisticated. Without the right metrics, organizations risk being blindsided by breaches that could have been mitigated with proper foresight.

Consider this: according to a 2023 report, it takes companies 212 days to detect a breach and 75 days to contain it. That’s nearly 9 months where attackers have free rein inside your network. Metrics are the foundation of an organization’s ability to measure its cybersecurity posture, assess risk exposure, and identify areas for improvement. However, many Chief Information Security Officers (CISOs) still feel uncertain about whether they are using the right metrics to protect their businesses.

This is where the importance of cybersecurity metrics comes into play. These metrics are essential for monitoring operational effectiveness and justifying cybersecurity investments to stakeholders at every level—from the C-suite to board members. By establishing actionable, relevant, and measurable metrics, organizations can ensure they are not just reacting to threats but proactively strengthening their security posture.

In this article, we’ll explore what makes a cybersecurity metric effective and which key metrics your organization should use to stay ahead of cyber threats.

As in any other program, cybersecurity metrics are diverse, and having detailed risk exposure data is challenging. Even today, Chief information security officers (CISO) are often not confident that they are using adequate cybersecurity metrics when monitoring their activities.

However, cybersecurity differs from other fields in the constant development of the threat landscape and the technologies used by attackers and defenders. Thus, cybersecurity metrics are critical to keep up with this evolution.

As attacks grow and their consequences become more apparent, interest in cyber resilience also increases at shareholder, regulatory, and board levels. A CISO needs to provide more actionable cybersecurity metrics to demonstrate the opportunity of their growing costs to inexperienced decision-makers.

However, measurements are also crucial at a technical level. Security operations centers (SOC) use cybersecurity metrics to determine the effectiveness of their operations and identify ways of progressing in their incident management programs. In short, metrics are a driver for continuous improvement.

So, the choice of cybersecurity metrics is crucial for these two points: improvement and justification. Below, we'll define:

• What makes good cybersecurity metrics

• Which cybersecurity metrics should you use

• A look at a comprehensive list

What makes a good cybersecurity metric?

Defining a set of good cybersecurity metrics is challenging in itself. To assess a good stack, people need an exhaustive overview of the company: its business, technology, specific risks, and what information needs to be protected and why.

Also, metrics differ; some target the macro or forward level, whereas others focus on the micro or backward level. In the end, we could even dare to say that there are as many metrics as people in charge of defining them.

Among all these metrics, it's easy to get lost and lose the meaning behind the numbers. Thus, when assessing a set of metrics for their organizations, people often refer to the "SMART" structure. It stands for:

• Specific: designed to the area measured

• Measurable: accurate and complete

• Actionable: simple to understand and to take action on

• Relevant: what's necessary

• Timely: available when needed

Source: MetricStream

Metrics defined according to this design bring clarity, structure, and measurability. They make a number much more apprehensible.

But behold! SMART is good but not good enough.

In the end, a good metric doesn't come alone. A number makes sense only when further data accompany it. Metrics can only come after you decide on Goals. What are you chasing? What are your objectives? Goals give you direction.

Also, it would be best to define what's acceptable and what is not, as well as a target range for each measurement. You don't need to chase 100% everywhere. On the opposite, actually. The five nine rules help you better allocate your resources. The point is to keep in mind that no system is infallible. Every one of them ends up breached at some point. Trying to fill the gap between 99.999% and 100% would cost you an exponential amount of time and people better spent elsewhere.

This is why you must define lower and upper bounds for each metric—an acceptable range that governs your teams' effort allocation.

To sum up, measurements are part of a broader governance plan. Each has to follow specific goals, action plans, and targets. Even SMART ones cannot come alone, which is often the case.

• Define Goals

• Define Action plan

• Asses metrics

• Set targets that will be used to monitor metrics regularly

Comparison is one of the keys to assessing your posture strength. Metrics deliver their best when compared. Peers and competitors are facing the same threats as you. They're trying to enact the same policies. Thus, by comparing with peers and the global average, you're determining whether you're over or underperforming.

Emphasis on understandability of cybersecurity metrics

We cannot stress enough the understandability of the cybersecurity metrics you'll use because of the exponential growth of cyberattacks these last two years. The CISO saw its role gaining immense traction before the boards. Beyond emergencies, they increasingly see cybersecurity as a necessary collaboration embedded in deeper ties with other departments.

This new relationship requires the CISO to have a more thorough understanding of C-level concerns and priorities and how these translate into information and infrastructure security. The board must, in turn, acknowledge how vital cyber risk has become to business outcomes and consider it when taking responsibility.

The CISO's role is to influence and inform. To that end, you need to communicate with simple and actionable data. That said, you will want to choose some metrics that are clear to anyone, even non-technical stakeholders.

And remember that one universal metric is cost. Previously, we discussed cybersecurity's goal of saving your company money. By comparing your results to those of your peers or on a year-to-year basis, you should be able to synthesize your point in actionable vital data. Let's dive in.

Which cybersecurity metrics should you use?

In Enterprise Risk Management, specialists rely on Key Performance Indicators (KPI) and Key Risk Indicators (KRI), sometimes one instead of another or both under one name. These metrics are perfectly suitable for cybersecurity, but let's take a minute to redefine them.

KPI is a measure of performance. It's, by nature, a backward-looking metric, coming at a higher-level overview. It's not designed to provide early warnings but to analyze trends.

KRI measures risk exposure. Unlike KPI, it is forward-looking at a lower and more technical level. They're two different metrics but complementary because KRI comes before KPI and informs them.

KPIs and KRI are different.
🚨 KRI helps quantify risks.
🚀 KPI helps measure business performance

You should link each KRI to a KPI to align performance management and risk management and make them as understandable as possible. KPIs have long played an essential role in performance management.

A comprehensive Security governance policy should be hierarchized into:

• Goals

• KPI

• KRI

• Targets

Here's a pick at our list of cybersecurity metrics

Let's look at the selected KPI and KRI with that in mind. Again, you should accompany these with pre-established goals as to the objectives you want to achieve and, more specifically, targets for each KPI and KRI.

Also, KPI and KRI need to be coherent. For instance, virus monitoring helps reduce the number of incidents reported. Remember that KRI and KPI are complementary.

Key Risk Indicators (KRI)

• Level of Readiness: Number of devices on your corporate network that are patched and up to date

• Unidentified Devices on Network: Malware can find its way into your network with employees bringing their devices

• Vendor Security Rating: Your cybersecurity metrics must follow the threat landscape beyond your company's limits. To complete your metrics, you must assess vendor risk management and a third-party framework.

• Third-party dependencies: as the Log4Shell exploit proved, you need to be aware of all the dependencies you're relying on to assess your risk exposure properly

• Patching Cadence: the time needed to implement application security patches or mitigate high-risk CVE-listed vulnerabilities? Cybercriminals use threat intelligence databases to benefit from the delta between patch releases and effective implementation. WannaCry exploited EternalBlue to make its way into computers. This zero-day vulnerability was quickly patched, but many companies still got breached due to a lag in a patching policy.

• Antivirus monitoring: periodicity of antivirus scans on apps (email clients, web browsers, and instant messaging software)

• Access Management: How segmented is your network? Many breaches are due to insider threats, such as negligent users with high privileges.

• Backup Cadence: on what periodicity you're making backups of your data

• Number of known vulnerabilities on externally facing and internal systems: an exhaustive view of your assets classified by their risk exposure

Key Performance Indicators (KPI)

• Number of alerts: how many alerts have been received daily

• Number of false positive alerts: how many false positive alerts are SOC analysts encountering daily

• Number of reported incidents: how many reported incidents within a specific timeline

• Mean Time to Detect (MTTD)‍: number of days breaches go unnoticed

• Mean Time to Remediate (MTTR): number of days between detection and remediation

• Mean Time to Contain (MTTC): number of days until identified attack vectors are barred across endpoints compromised

• Cost induced by incidents: on a monthly and annual basis, how much did breaches cost? Costs include investigation costs, productivity loss, downtime, regulatory sanctions, and data loss

• Analyst workload: the number of events that your analysts have to deal with daily

• Phishing attack success: following phishing and spear-phishing campaigns, the percentage of positives

• Cybersecurity awareness training: the recurrence, comprehensiveness, in terms of employees concerned (C-suites included), and results

The last metric would be a general recommendation to compare these cybersecurity metrics with your peers and global averages. As said above, comparisons are easily understandable and appealing for board talks.

Actionable Tips for Implementing Effective Cybersecurity Metrics

Effectively managing cybersecurity risks requires choosing the right metrics and ensuring that your team can act on the insights they provide. Below are some actionable tips to help you implement and manage cybersecurity metrics that drive both strategic and operational improvements:

1. Identify Relevant Risks and Align Metrics

Begin by thoroughly understanding your organization’s risk landscape. This involves conducting a comprehensive risk assessment to identify potential vulnerabilities and evaluating the impact these risks could have on your business. Once you have identified the key risks, align your Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) with these risks to ensure they reflect your most significant security concerns.

• Tip: Ensure your risk identification process is iterative and dynamic to stay ahead of emerging threats. This helps keep your cybersecurity metrics relevant and up-to-date.

2. Use SMART Metrics

Apply the SMART framework to ensure your metrics are actionable. Metrics should be Specific, Measurable, Actionable, Relevant, and Timely. Using SMART metrics ensures that the data you collect is meaningful and leads to actionable insights.

• Tip: Combine SMART metrics with predefined goals to provide direction and context for your cybersecurity efforts. This will help your team focus on what truly matters.

3. Leverage Automation and Technology

Manual data processing can lead to inefficiencies and human error, especially in dynamic security environments. Leveraging tools such as Security Information and Event Management (SIEM) systems, Endpoint Detection and Response (EDR) solutions, and automation platforms can streamline data collection and analysis, allowing your team to focus on high-priority threats.

• Tip: Consider using Security Orchestration, Automation, and Response (SOAR) tools to automate routine tasks, such as alert triage and data enrichment, for more efficient risk management.

4. Monitor and Regularly Update KRIs

Key Risk Indicators (KRIs) should be continuously monitored to reflect changes in the organizational environment. As external threats evolve and internal factors shift, periodic reviews and updates of KRIs will ensure that your metrics remain aligned with current risks.

• Tip: Set thresholds for KRIs that trigger automated alerts when a metric goes out of range. This allows your team to respond promptly before risks materialize.

5. Benchmark Against Peers

Benchmarking your cybersecurity metrics against industry standards or competitors allows you to gauge your organization’s performance. It provides context for whether your risk management efforts are falling behind, on par with, or ahead of industry norms.

• Tip: Use publicly available reports or industry surveys to identify average performance metrics within your sector and compare them to your organization's results.

6. Simplify Communication for Stakeholders

When reporting cybersecurity metrics to stakeholders such as board members or senior management, prioritize clarity. Use visuals like dashboards and graphs to simplify complex data and focus on key takeaways that matter to non-technical audiences. This ensures that decision-makers can grasp the security situation and support necessary actions.

• Tip: Tie cybersecurity metrics back to business outcomes, such as cost savings, to make them more relatable and compelling for stakeholders.