Effective Security Program Board Metrics and Updates
Communicating the right metrics to the board provides them with objective data that can be used to assess the program’s performance, identify areas of improvement, and communicate its effectiveness.
Here are some effective security program board metrics and updates that can help security leaders communicate the organizations’ overall posture and improvement plans:
Incident Detection and Response
Mean Time to Detect (MTTD): This metric measures the average time it takes to detect a security incident or breach. A lower MTTD indicates a more effective security program that can identify and respond to threats quickly.
Mean Time to Respond (MTTR): MTTR measures the average time it takes to respond to a security event, incident, or breach once it has been detected. A lower MTTR indicates a more efficient incident response process and a quicker return to normal operations.
Number of Security Incidents: This metric tracks the total number of security incidents or breaches over a specific period. It provides a high-level view of the program’s overall security posture and can help identify trends or patterns in the occurrence of incidents.
Security Incident Response Capability (SIRC): SIRC measures the organization’s ability to effectively respond to and manage security incidents. It assesses factors such as the availability of incident response plans, trained personnel, and established processes. A higher SIRC score indicates a more mature and capable incident response capability.
Vulnerability Remediation Rate: This metric tracks the speed at which identified vulnerabilities are remediated or mitigated. It indicates how quickly the security program can address known vulnerabilities, reducing the organization’s exposure to potential threats.
Major vulnerabilities (e.g., log4j, log4shell, etc.) which are affecting the organization and their remediation status should be highlighted along with mitigations that have been put in place in the interim.
When highlighting vulnerability metrics, including their exploitability factor and whether they are external vs. internal to the organization is important.
Newsworthy items: This update highlights vulnerabilities or issues that are publicly known and affecting many different organizations. While they may not affect the organization, it is important to highlight and acknowledge the awareness of these threats and vulnerabilities and that you have appropriately researched their applicability and potential impact to the organization.
Security Awareness and Reporting Response Rate: This metric measures the employee’s security awareness actions and associated responses. In addition, employee security reporting and response metrics (e.g., phishing, or suspicious activity reporting). A higher completion rate and attendance rate suggests a more informed workforce that is better equipped to recognize and respond to security threats effectively.
Employee Security Training Effectiveness: This metric assesses the impact of security training programs on employees’ knowledge, behavior, and ability to follow security best practices. It can be measured through pre- and post-training assessments, simulated phishing campaigns, or other evaluation methods.
Risk Assessment Coverage: This metric evaluates the extent to which risk assessments are conducted across the organization. It measures the percentage of systems, applications, or processes that have undergone a formal risk assessment. A higher coverage rate indicates a more comprehensive and proactive approach to organizational risk management.
Status of organizational audits and certifications (e.g., ISO27001, etc.): These assessments can identify functional areas maturity and those requiring change. The assessments themselves can provide early warning indicators on upcoming assurance and certifications (e.g., ISO 27001, SOC I/2, etc.) issues or major concerns that may lead to required awareness and support for organizational leadership and the board.
Critical Security Program Process improvements: Communication of critical process updates to reflect current threats and risks to the organization. These can include updates to the organization’s incident response plan and associated resiliency playbooks (e.g., Ransomware, Business Continuity and Disaster Recovery, etc.). Results of recent tabletop exercises, lessons learned, and associated updates and changes.
Supply Chain Issues: This provides updates on critical supply chain issues affecting the organization. The recent pandemic highlighted over reliance on supply chains without appropriate available contingencies to support critical business operations and functions. Delays to critical operating components (e.g., chips, security controls, etc.) across the globe can lead to gaps in security controls across different geographic organizational locations. Highlighting these issues and the various ways the organization is dealing with them.
Geopolitical issues (e.g., Ukraine war) – Geopolitical issues can affect an organization in various ways. The Ukraine War highlighted how dependencies with various workers and supply chains can be disrupted by tensions, civil unrest, or the breakout of war within various regions of the world. Appropriate oversight and awareness of where your organization is conducting business and its reliance on its workers, or third parties can assist an organization’s business resiliency and recovery from any business disruptions.
Security Policies and Standards Compliance: This metric assesses the organization’s compliance with internal security policies, industry standards, and regulatory requirements. It can be measured through internal and external audits or self-assessments and provides insight into the organization’s adherence to established security practices.
Cybersecurity Investment ROI: This metric evaluates the return on investment (ROI) of security-related expenditures. It measures the cost-effectiveness of security controls, technologies, or initiatives by comparing the investment made with the benefits derived, such as reduced incident costs or avoided breaches. Another valuable component is demonstrating how cost reducing measures such as technology standardization or consolidation has reduced overall costs, enhanced overall security controls, and time to detect and respond.
Total headcount vs. open critical positions: This metric provides an overview of total headcount funded for the security program and the number of critical open positions. This highlights whether the open positions are affecting the ability to fulfill the security mission of the organization. Associated data and information that highlights what is being done to mitigate and address the critical open security positions should be highlighted.
If your organization has diversity hiring goals, then data supporting the organization’s diversity hiring initiative should also be incorporated.
If your security program also includes physical security responsibilities, then you must account for those as well.
Status of critical physical security program and associated projects. These should account for organizational location hot zones (e.g., country specific threats close to office locations).
The selection of metrics and updates should align with the organization’s security objectives, goals, and risk profile. While there is no one size that fits all for organizations to adopt, these are some of the most leveraged and commonly used. It’s important to regularly review and refine the metrics to ensure they remain relevant and provide meaningful insights into the effectiveness of the security program. As boards continue to become more technical and cyber savvy, they will demand more details and context to ensure appropriate governance and assurance of the organizational security program and associated controls.
There’s no content to show here yet.