The Dashboard Nobody Uses
Your security tool shows 47 metrics. Your board wants a security update. Your CEO asks "are we secure?" You have no idea which number to show—because none of them actually answer the question.
Most security metrics measure activity, not outcomes. "We ran 1,247 scans" doesn't tell you if you're more secure. "Time to patch critical vulnerabilities decreased from 30 days to 7" does. The difference matters.
This guide shows you which security metrics actually matter, how to measure them, and how to present them to different audiences.
The Metrics That Matter
Tier 1: Executive/Board Metrics
High-level indicators that non-technical leadership can understand:
Boards don't want 40 metrics. They want to know: Are we at risk? Are we getting better? What do we need? Five metrics with trend lines beat fifty metrics without context.
Tier 2: Management Metrics
Operational indicators for security and IT leadership:
Vulnerability Management:
- Open vulnerabilities by severity
- Average age of open vulnerabilities
- Vulnerability remediation rate
- False positive rate
Access & Identity:
- Accounts without MFA
- Privileged account count
- Access review completion rate
- Offboarding timeliness
Detection & Response:
- Mean time to detect (MTTD)
- Mean time to respond (MTTR)
- Alert volume and false positive rate
- Incidents by category
Program Health:
- Policy compliance rate
- Training completion rate
- Vendor assessment coverage
- Pentest finding closure rate
Tier 3: Operational Metrics
Day-to-day indicators for security practitioners:
- Patch Coverage — Percentage of systems at current patch level
- Endpoint Protection Coverage — Devices with EDR installed and active
- Backup Success Rate — Percentage of backups completing successfully
- Phishing Simulation Results — Click rate, report rate by department
- Security Tool Uptime — Are your security tools actually running?
Building Your Metrics Program
Step 1: Start with Questions
Don't start with metrics—start with what you need to know:
- Risk: What are our biggest security risks right now?
- Trend: Are we getting more or less secure over time?
- Operations: Are our security controls working?
- Compliance: Will we pass our next audit?
- Investment: Are we spending security budget effectively?
Step 2: Choose Metrics That Answer
Good metrics are: Specific (clear definition), Measurable (you can actually collect it), Actionable (you can influence it),Relevant (it matters to the audience), Time-bound (measured consistently over time).
Step 3: Establish Baselines
You can't show improvement without knowing where you started. For each metric:
- Measure current state (baseline)
- Research industry benchmarks
- Set realistic targets
- Define measurement frequency
Step 4: Automate Collection
Manual metrics don't get measured. Automate wherever possible:
- Vulnerability scanners — Export vulnerability counts and ages
- Identity providers — Report on MFA adoption, inactive accounts
- SIEM/logging — Alert volumes, response times
- Compliance platforms — Control status, evidence collection
Presenting Metrics
To the Board
Do:
- Lead with risk and trend
- Show 5-7 key metrics maximum
- Include comparison to targets
- Connect to business impact
- End with asks (budget, decisions)
Don't:
- Show 40 metrics
- Use technical jargon
- Present raw numbers without context
- Hide bad news
- Present activity as outcome
To Engineering/IT
- More Detail — Technical specifics they can act on
- Ownership Clarity — Metrics by team or system owner
- Remediation Focus — What needs fixing and priority
- Trend Analysis — Are their changes improving things?
To Customers
- Compliance Status — SOC 2, ISO 27001 certification status
- Incident History — Transparency about past issues
- Uptime Metrics — Availability and reliability
- Response Commitments — SLA compliance
Common Metrics Mistakes
Mistake 1: Measuring Activity, Not Outcomes
"We blocked 10,000 attacks" sounds impressive but means nothing. Blocked by what? Were they real attacks? Did any get through? Focus on outcomes: vulnerabilities fixed, incidents prevented, time to detect.
Mistake 2: Vanity Metrics
Metrics that always look good but don't indicate security: "100% of employees completed training" says nothing about behavior change. "Phishing click rate dropped 60%" does.
Mistake 3: Too Many Metrics
Measuring everything means focusing on nothing. Pick 10-15 metrics that matter. Better to track 10 well than 50 poorly.
Mistake 4: No Targets or Trends
"We have 47 critical vulnerabilities" means nothing without context. Is that up or down? Against what target? Compared to peers? Raw numbers need context.
Sample Security Dashboard
Quick Start: Your First Week
Day 1-2: Identify Your Audience
Who needs metrics? Board? Leadership? Engineering? Each needs different things.
Day 3: Choose Your Top 10
Pick 10 metrics that answer: What's our risk? Are we improving? Are controls working?
Day 4-5: Establish Baselines
Measure current state for each metric. This is your starting point.
Day 6-7: Build Your Dashboard
Create a simple dashboard (even in a spreadsheet) with current values, targets, and trends.
Next Steps
Security metrics should answer questions, not create them. Start with what your audiences need to know, choose metrics that answer those questions, and present them with context.
Begin with five metrics for your board. Add operational metrics for your team. Automate collection so you actually keep measuring. Iterate based on what proves useful.
Building your metrics program? vCISO Lite provides built-in security dashboards with board-ready reporting, trend tracking, and benchmark comparisons—so you can demonstrate security posture without building reports from scratch.