"Show me the numbers."
I was sitting across from a newly appointed CEO who had just inherited a cybersecurity program with a $2.3 million annual budget. She'd been in the role for three weeks and wanted to understand what she was getting for her investment.
The CISO pulled up a PowerPoint deck filled with charts. "We blocked 47 million malicious emails last month," he began proudly. "We prevented 12,000 malware infections. Our firewalls processed 8.7 billion packets..."
The CEO held up her hand. "Stop. I need you to answer a different question: Are we more secure today than we were six months ago? And how do you know?"
The room went silent.
After fifteen years of building, auditing, and rescuing cybersecurity programs, I've learned a harsh truth: most organizations are drowning in security metrics while starving for actual insight. They measure everything and understand nothing.
Let me show you what actually matters.
The Metric Trap: Why Most Security Dashboards Are Useless
Here's a story that perfectly illustrates the problem.
In 2020, I was brought in to evaluate a financial services company's security program. Their security dashboard was impressive—real-time feeds, color-coded threat levels, dozens of charts updating every minute. It looked like something from a cybersecurity movie.
I asked the security team a simple question: "Based on these metrics, should your CEO be worried right now?"
They looked at each other. Nobody could answer.
The dashboard showed them that the firewall was blocking threats (good!), the antivirus was detecting malware (great!), and employees were completing security training (excellent!). But it told them nothing about their actual risk posture.
Three months later, they suffered a business email compromise attack that cost them $840,000. Their metrics never saw it coming because they were measuring activity, not outcomes.
"Metrics without context are just numbers. Numbers without decisions are just noise. The goal isn't to measure everything—it's to measure what matters."
The Framework: Three Types of Metrics You Actually Need
After working with organizations ranging from 10-person startups to Fortune 500 enterprises, I've developed a framework that cuts through the noise. Every meaningful security metric falls into one of three categories:
1. Risk Indicators (Are we getting safer or more dangerous?)
2. Performance Indicators (Is our security program working?)
3. Compliance Indicators (Can we prove it to auditors and customers?)
Let me break down each category with the metrics that have actually driven decisions in my experience.
Risk Indicators: The Metrics That Keep Me Up at Night
These are the metrics that tell you whether your organization is becoming more or less vulnerable over time. They're forward-looking and predict trouble before it arrives.
Mean Time to Patch Critical Vulnerabilities (MTTP)
This is my single favorite metric for measuring organizational risk. Here's why:
In 2021, I worked with two healthcare organizations of similar size. Both discovered the same critical vulnerability in their VPN infrastructure.
Organization A had a MTTP of 72 hours. They patched it within three days.
Organization B had a MTTP of 18 days. They were "working on it" when attackers exploited the vulnerability on day 14.
The breach cost Organization B $3.2 million and 18 months of regulatory scrutiny. Organization A? They never even made the news.
How to measure it:
Track time from vulnerability disclosure to patch deployment
Focus on critical and high-severity vulnerabilities
Measure across all systems, not just the easy ones
What good looks like:
Critical vulnerabilities: < 7 days (ideally < 3 days)
High vulnerabilities: < 30 days
Medium vulnerabilities: < 90 days
I've seen organizations transform by focusing on this single metric. One client reduced their MTTP from 23 days to 4 days over six months. They haven't had a successful vulnerability exploit since.
Percentage of Assets with Unknown or Unmanaged Status
Here's something I've learned the hard way: you can't protect what you don't know exists.
I consulted for a mid-sized tech company in 2019. They had 847 servers in their asset database. When we did a comprehensive network scan, we found 1,243 active systems.
That's 396 servers—47% of their actual infrastructure—that nobody was patching, monitoring, or protecting. It was a disaster waiting to happen.
How to measure it:
Maintain an asset inventory (sounds basic, but most organizations fail here)
Compare your inventory against actual network discoveries
Track the percentage of discovered assets not in your management systems
What good looks like:
< 5% unknown assets in production environments
< 2% unknown assets handling sensitive data
Zero unknown assets in PCI or HIPAA scope
"An unmanaged asset is just a future breach waiting to be discovered. You can't secure what you can't see."
Privileged Account Exposure Score
This metric saved a retail company from catastrophe in 2022.
They had 47 accounts with domain administrator privileges. Only 12 were actually needed for legitimate administrative functions. The other 35? Old accounts from former employees, test accounts that never got deleted, and "just in case" accounts created during emergencies.
When we implemented privileged access management and started tracking this metric, we discovered that one of those unnecessary admin accounts was being used to exfiltrate customer data. It had been active for seven months.
How to measure it:
Count total privileged accounts
Identify accounts with actual business justification
Calculate: (Unjustified Privileged Accounts / Total Privileged Accounts) × 100
What good looks like:
< 10% unjustified privileged accounts
Zero dormant privileged accounts (unused > 90 days)
100% of privileged accounts using MFA
Third-Party Risk Exposure
I've seen more organizations compromised through vendors than through direct attacks. Yet most companies have no idea what their vendor risk looks like.
A manufacturing client discovered this in 2020. Their HVAC vendor had remote access to their building management systems. Those systems were on the same network as their ERP system. The vendor's security? A shared password: "HVAC2019"
Fortunately, we caught it during a risk assessment. Others haven't been so lucky.
How to measure it:
Track percentage of vendors with security assessments completed
Monitor percentage of vendors with current compliance certifications
Calculate: Critical vendors without adequate security / Total critical vendors
What good looks like:
100% of critical vendors assessed annually
Zero high-risk vendors with network access
< 5% of vendors with outdated security reviews
Performance Indicators: Is Your Security Program Actually Working?
These metrics tell you whether your investments are paying off. They're the bridge between activity and outcomes.
Mean Time to Detect (MTTD)
The faster you detect an incident, the less damage it causes. This metric is pure gold.
I worked with an e-commerce company that reduced their MTTD from 14 days to 4 hours. The impact was dramatic:
Average incident cost: dropped from $340,000 to $28,000
Data exfiltration incidents: reduced by 89%
Ransomware success rate: dropped to zero
How to measure it:
Track time from initial compromise to detection
Include only actual incidents (not false positives)
Break down by incident type
What good looks like:
Critical incidents: < 1 hour
High-severity incidents: < 4 hours
Medium incidents: < 24 hours
The industry average MTTD is 207 days. If you're anywhere close to that, you're in serious trouble.
Mean Time to Respond (MTTR)
Detection without response is worthless. I've seen organizations detect breaches quickly but take weeks to contain them.
A financial services client had excellent detection (MTTD of 2 hours) but terrible response (MTTR of 6 days). By the time they contained incidents, the damage was done.
We implemented automated response playbooks and reduced their MTTR to 8 hours. Their average incident cost dropped 73%.
How to measure it:
Track time from detection to containment
Include only the containment phase (not full resolution)
Measure separately for different incident types
What good looks like:
Critical incidents: < 4 hours
High-severity incidents: < 24 hours
Medium incidents: < 72 hours
Security Control Effectiveness Rate
This is where most security teams get honest with themselves. Are your controls actually working?
I evaluated a healthcare organization's security controls in 2021. They had:
Email filtering (supposedly blocking 99.7% of phishing)
Endpoint protection (supposedly stopping all malware)
Network segmentation (supposedly isolating critical systems)
When we tested these controls:
Phishing: 23% of test emails reached inboxes
Malware: 34% of test samples went undetected
Segmentation: 67% of systems could reach segments they shouldn't
Their controls looked good on paper but were failing in practice.
How to measure it:
Regular testing of each security control
Track: (Successful control actions / Total control tests) × 100
Test both prevention and detection capabilities
What good looks like:
Critical controls: > 95% effectiveness
High-priority controls: > 90% effectiveness
All controls: > 80% effectiveness
"A security control that's 80% effective sounds good until you realize that 20% of attacks are getting through. Would you accept an airbag that works 80% of the time?"
Security Training Effectiveness (Not Completion Rate)
Every organization tracks training completion rates. "98% of employees completed security awareness training!" Great. Are they actually more secure?
I helped a tech company shift from measuring completion to measuring behavior change:
Before training focus:
Completion rate: 97%
Phishing click rate: 32%
Security incidents caused by employees: 78 per quarter
After training redesign:
Phishing click rate: 8%
Security incidents caused by employees: 12 per quarter
We stopped measuring whether people watched videos and started measuring whether they made better security decisions.
How to measure it:
Simulated phishing click rates (monthly tests)
Security incident rate per employee
Time to report suspicious activity
What good looks like:
Phishing click rate: < 10%
Report rate: > 60% (people reporting suspicious emails)
Declining trend in human-factor incidents
Compliance Indicators: Proving You're Doing the Work
These metrics satisfy auditors, customers, and regulators. They prove your program exists and operates consistently.
Control Audit Readiness Score
I've seen organizations scramble for months preparing for audits because they couldn't demonstrate control operation. This metric prevents that panic.
How to measure it:
List all required controls for your framework
Track which controls have current evidence
Calculate: (Controls with valid evidence / Total required controls) × 100
What good looks like:
100% of critical controls with evidence < 30 days old
95%+ of all controls audit-ready at any time
Zero controls with gaps > 90 days
A manufacturing client maintained 98% audit readiness continuously. When their SOC 2 audit came, evidence collection took 2 days instead of 2 months. They passed on first attempt with zero exceptions.
Policy Compliance Rate
Policies don't matter if nobody follows them. This metric exposes the gap between what you say and what you do.
How to measure it:
Track policy violations detected through monitoring
Calculate: (Compliant actions / Total observed actions) × 100
Break down by policy type (access control, data handling, etc.)
What good looks like:
Critical policies: > 98% compliance
Standard policies: > 90% compliance
Declining trend in repeat violations
Incident Response Plan Testing Frequency
Plans that aren't tested don't work. I've seen beautiful incident response plans fail completely during actual incidents because nobody had practiced them.
A healthcare client learned this painfully. They had a 47-page incident response plan that nobody had ever actually used. When ransomware hit, the plan called for steps that were impossible with their current tools. Their MTTR ballooned to 9 days.
How to measure it:
Track tabletop exercises conducted
Monitor actual incident response time vs. plan targets
Measure percentage of plan steps successfully executed during drills
What good looks like:
Quarterly tabletop exercises minimum
Annual full-scale exercises
< 10% deviation from plan during actual incidents
Vendor Compliance Rate
For most compliance frameworks, you're responsible for your vendors' security. This metric tracks whether your supply chain meets requirements.
How to measure it:
Track vendors requiring compliance documentation
Monitor current vs. expired certifications
Calculate: (Vendors with current compliance / Total vendors requiring compliance) × 100
What good looks like:
100% of critical vendors with current certifications
Zero vendors with expired compliance documentation
All vendors assessed before contract renewal
The Dashboard That Actually Works
After building dozens of security dashboards, here's what I put on the executive view:
The Risk Slide (1 slide, updated monthly):
MTTP trend (last 6 months)
Unknown asset percentage
Critical vendor risk count
Top 3 risks with mitigation status
The Performance Slide (1 slide, updated monthly):
MTTD/MTTR trends
Control effectiveness summary
Training effectiveness (phishing rate)
Security incident count and severity
The Compliance Slide (1 slide, updated quarterly):
Audit readiness score
Policy compliance rate
Vendor compliance status
Next audit/assessment dates
Three slides. Twenty minutes. Decisions made.
Compare that to the 40-slide deck with hundreds of metrics that tells you nothing useful.
The Metrics That Fooled Me (Learn From My Mistakes)
I've wasted years tracking metrics that seemed important but drove bad behavior:
Number of Vulnerabilities Detected
I once celebrated with a team when their vulnerability count increased 300%. More vulnerabilities found meant better scanning, right?
Wrong. They'd just expanded scanning to more systems. They weren't actually fixing vulnerabilities faster—they were just finding more to ignore.
Better metric: Percentage of vulnerabilities remediated within SLA
Number of Security Incidents Detected
A security team proudly showed me their incident count had increased 400% year-over-year. "We're detecting so many more threats!"
Turns out, they'd just made their detection rules more sensitive. 90% were false positives that wasted analyst time.
Better metric: True positive rate and MTTD for actual incidents
Percentage of Systems with Antivirus Installed
"99.8% coverage!" they announced. Unfortunately, 34% of those systems had antivirus that hadn't updated in 90+ days. It was installed, but worthless.
Better metric: Percentage of systems with up-to-date, functioning endpoint protection
"The most dangerous metrics are the ones that make you feel good while you're actually failing. They're security theater disguised as measurement."
How to Actually Implement These Metrics
Theory is useless without execution. Here's how I've successfully implemented these metrics across multiple organizations:
Month 1: Pick Your Top 5
Don't try to implement everything at once. Choose five metrics:
2 risk indicators
2 performance indicators
1 compliance indicator
Start measuring them manually if needed. Automation comes later.
Month 2-3: Establish Baselines
You need to know where you are before you can improve. Measure your chosen metrics for 2-3 months without trying to change them.
A fintech client resisted this. "We know we're bad at patching, let's just fix it!" I insisted on baseline measurement.
Good thing I did. They thought their MTTP was 14 days. It was actually 47 days. Understanding the true scope let them allocate appropriate resources.
Month 4-6: Set Realistic Targets
Based on your baseline, set quarterly improvement goals. Make them challenging but achievable.
I worked with a company that went from MTTP of 38 days to 7 days in one year by setting quarterly targets:
Q1: Reduce to 30 days
Q2: Reduce to 21 days
Q3: Reduce to 14 days
Q4: Reduce to 7 days
Achievable increments prevented burnout and maintained momentum.
Month 7-12: Automate Collection
Once you've proven the metrics drive decisions, invest in automation. Manual collection doesn't scale.
Priorities for automation:
Asset discovery and inventory
Vulnerability scanning and tracking
Log collection and incident detection
Compliance evidence gathering
Year 2: Expand and Refine
Add more metrics, but only if they drive decisions. I've seen organizations track 200+ metrics. They made zero decisions based on 180 of them.
The test: If you couldn't collect this metric for six months, would any decision be worse?
If no, stop collecting it.
Real Talk: When Metrics Lie
I need to be honest about the dark side of metrics. They can be manipulated, and I've seen it happen.
A security team was measured on vulnerability remediation rate. They started closing vulnerabilities as "won't fix" or "risk accepted" to hit their targets. Their numbers looked great. Their risk increased dramatically.
Another team was measured on phishing click rates. They started sending obviously fake phishing tests that nobody would click. Their metrics improved. Their actual security awareness didn't.
This is why I always pair metrics with reality checks:
Random sampling of closed vulnerabilities
Third-party phishing simulations
Independent security assessments
Actual incident outcomes
"Goodhart's Law applies to security metrics: When a measure becomes a target, it ceases to be a good measure. Always validate that improving metrics actually improves security."
The Metrics Conversation I Have With Every Executive
When I present security metrics to leadership, I frame it like this:
"These metrics answer three questions:
Are we safer today than yesterday? (Risk indicators)
Is our security investment working? (Performance indicators)
Can we prove our security to customers and auditors? (Compliance indicators)
If we can't answer these questions with confidence, we're not measuring the right things."
This framing cuts through the technical noise and connects security metrics to business outcomes.
Your Action Plan
Ready to overhaul your security metrics? Here's your roadmap:
This Week:
Review your current security dashboard
Ask: "What decision does each metric drive?"
Eliminate metrics that don't drive decisions
This Month:
Select your top 5 starting metrics using my framework
Begin manual collection if automation doesn't exist
Establish baseline measurements
This Quarter:
Present metrics to leadership monthly
Set improvement targets based on baselines
Identify automation opportunities
This Year:
Automate metric collection
Expand to 10-15 core metrics
Integrate metrics into business planning
The Bottom Line
After fifteen years of building security programs and sitting through hundreds of board presentations, here's what I know:
The right metrics transform security from a cost center to a business enabler. They make invisible risks visible. They turn vague concerns into concrete actions. They prove that security investments deliver value.
But most importantly, they answer the question that CEO asked me at the beginning of this article:
"Are we more secure today than we were six months ago?"
If your metrics can't answer that question with confidence, it's time to change what you're measuring.
Because in cybersecurity, what you measure determines what you manage. And what you manage determines whether you survive.
Choose your metrics wisely. They might just save your company.
Want to build a metrics program that actually drives security improvements? Subscribe to PentesterWorld's newsletter for practical frameworks, templates, and real-world examples from the cybersecurity trenches.