Security Metrics and KPIs: What to Measure and Report to the Board
Which security metrics actually matter — MTTD, MTTR, vulnerability SLAs, risk score trends — and how to build executive dashboards that drive decisions.
Security Metrics and KPIs: What to Measure and Report to the Board
Security teams that cannot communicate their program's value in business terms will lose budget, headcount, and board attention to teams that can. Security metrics are not just operational tools — they are the translation layer between technical security posture and business risk.
The challenge is that most security metrics are easy to game, hard to contextualize, or technically accurate but strategically meaningless. "We blocked 10,000 attacks last month" tells the board nothing about residual risk. "Our critical vulnerability remediation time improved from 47 days to 12 days, putting us in the top quartile of our industry" tells them something actionable.
Foundational Metrics: What to Track
Mean Time to Detect (MTTD)
How long between when an incident began and when your team detected it.
Why it matters: The longer an attacker is in your environment before detection, the greater the damage. The industry median dwell time is currently around 16 days for financially motivated attackers.
How to measure:
SELECT
AVG(EXTRACT(EPOCH FROM (detected_at - started_at)) / 3600) AS mttd_hours,
PERCENTILE_CONT(0.50) WITHIN GROUP (ORDER BY
EXTRACT(EPOCH FROM (detected_at - started_at)) / 3600) AS median_hours
FROM incidents
WHERE started_at IS NOT NULL
AND detected_at IS NOT NULL
AND occurred_at > NOW() - INTERVAL '90 days';
Target: Depends on your threat model. For most SaaS companies, a target of less than 1 hour for P1 incidents and less than 24 hours for P2 is reasonable.
Mean Time to Respond (MTTR)
How long between detection and containment/resolution.
Phases to track separately:
- MTTR to acknowledge (time from alert to analyst begins investigation)
- MTTR to contain (time from detection to attacker locked out)
- MTTR to resolve (time from detection to full remediation and close)
Tracking these separately reveals where the bottleneck is: Is detection fast but response slow? Is containment fast but remediation slow?
Vulnerability Remediation SLA Compliance
The percentage of vulnerabilities remediated within your defined SLA by severity.
Define your SLAs:
| Severity | Remediation SLA |
|---|---|
| Critical | 7 days |
| High | 30 days |
| Medium | 90 days |
| Low | 180 days |
Measure:
SELECT
severity,
COUNT(*) AS total,
SUM(CASE WHEN remediated_at - discovered_at <= sla_days * INTERVAL '1 day'
THEN 1 ELSE 0 END) AS on_time,
ROUND(100.0 * SUM(CASE WHEN remediated_at - discovered_at <= sla_days * INTERVAL '1 day'
THEN 1 ELSE 0 END) / COUNT(*), 1) AS sla_compliance_pct
FROM vulnerabilities
WHERE remediated_at IS NOT NULL
AND discovered_at > NOW() - INTERVAL '90 days'
GROUP BY severity, sla_days
ORDER BY CASE severity WHEN 'critical' THEN 1 WHEN 'high' THEN 2
WHEN 'medium' THEN 3 ELSE 4 END;
Target: 95%+ SLA compliance for Critical; 90%+ for High.
Security Debt: Open Vulnerabilities by Age and Severity
A snapshot of unresolved vulnerabilities bucketed by severity and age.
| Severity | < 7 days | 7-30 days | 30-90 days | > 90 days |
|---|---|---|---|---|
| Critical | 2 | 0 | 0 | 0 |
| High | 12 | 8 | 3 | 1 |
| Medium | 34 | 29 | 45 | 12 |
Anything in the "Critical > 7 days" or "High > 30 days" buckets is SLA violation and warrants explanation.
Patch Coverage
The percentage of managed systems running current OS and application patches.
Why it matters: Unpatched systems are the most common initial access vector for ransomware and commodity malware. Board members understand "X% of our systems are unpatched" immediately.
Target: 98%+ patch compliance within 30 days of patch release for high-severity CVEs; 95%+ for routine patches.
MFA Adoption Rate
The percentage of employees with MFA enabled on critical systems.
Track by application tier:
- Tier 1 (Identity Provider, email, VPN): Target 100%
- Tier 2 (SaaS productivity tools): Target 100%
- Tier 3 (Internal tools, dev tooling): Target 95%+
Phishing Simulation Click Rate
Percentage of employees who click on simulated phishing emails.
Trend is more important than absolute number. A 25% click rate that drops to 10% over 12 months demonstrates the training program is working.
Track separately:
- Click rate (opened and clicked link)
- Credential submission rate (entered credentials on phishing page)
- Report rate (reported the phishing email to IT)
Risk Score Trends
Point-in-time security scores are less meaningful than trends. A security score that is declining is more concerning than a stable low score — at least a stable score is predictable.
Internal risk score components:
- Vulnerability exposure score (count × severity × exposure)
- Access hygiene score (privileged accounts with MFA, orphaned accounts, overprivileged roles)
- Patch currency score
- Security control coverage (percentage of systems with EDR, logging, etc.)
Track each component weekly and report the 30/60/90 day trend.
External risk score: Services like SecurityScorecard, BitSight, and RiskRecon provide external-facing security ratings based on observable indicators. These are used by customers, partners, and cyber insurers to assess your security posture. Knowing your external score before a customer asks is table stakes.
Board-Level Reporting
The board does not need to understand CVE scoring or CVSS vectors. They need to understand:
- What is our current risk posture? (Rising, falling, stable)
- How do we compare to our industry? (Percentile benchmarks)
- What are our top 3 risks right now?
- Are we meeting our remediation commitments? (SLA compliance)
- What are we investing in and why?
One-page board security summary structure:
SECURITY POSTURE SUMMARY — Q1 2026
Overall Risk Trend: ▼ Improving
Key Metrics:
• MTTD (P1 Incidents): 42 min [Target: <60 min] ✓
• MTTR (P1 Incidents): 3.2 hrs [Target: <4 hrs] ✓
• Critical Vuln SLA: 97% [Target: 95%] ✓
• MFA Coverage (Tier 1): 99.3% [Target: 100%] →
• Phishing Click Rate: 8.2% [Target: <10%] ✓
Top Risks This Quarter:
1. [Risk description, business impact, mitigation status]
2. [...]
3. [...]
Security Investments Q1:
• EDR rollout completed: 98% device coverage
• Vendor security review program: 12 vendors assessed
• Pending: FIDO2 rollout for remaining 7 users missing hardware keys
Keep board slides to 3-5 slides maximum. Lead with business impact, not technical detail. When something is red (not meeting target), explain why and what the remediation plan is.
Common Metric Pitfalls
Vanity metrics — "We blocked 50,000 attacks" sounds impressive but means nothing without context. What was the false positive rate? How many real attacks got through?
Output metrics instead of outcome metrics — "We ran 200 security awareness training courses" measures activity, not effectiveness. "Phishing click rate dropped from 22% to 8%" measures outcome.
Leading vs. lagging indicators — MTTD and MTTR are lagging indicators (they measure past incidents). Patch compliance and vulnerability age are leading indicators (they measure conditions that determine future incident probability). Use both.
Gaming — Teams aware of which metrics are tracked will optimize for those metrics, sometimes at the expense of unmeasured but important work. Rotate metric focus periodically and use qualitative reviews alongside quantitative metrics.
Security metrics are a compass, not a destination. They point you toward where to invest attention and resources, but the judgment about what to do with them still requires human security expertise.