Which cybersecurity metrics do you currently use with your board?

5.3k viewscircle icon5 Comments
Sort by:
CIO in Energy and Utilitiesa month ago

We use a combination of CSMA, BitSight, and milestones on our 3-year Cyber Maturity roadmap. Most metrics/benchmarks are merely a yardstick, and what's important is that your organization matures at a steady pace.

Lightbulb on1
Director of Information Security in Finance (non-banking)a month ago

None at all.
Just talking about risk values and their progress (up - down) and costs.

Chief Information Security Officera month ago

Business Unit Contributions: All indicators are provided by individual business units, highlighting varying levels of cybersecurity maturity across the organization. This comparative view serves as a guide for prioritizing remediation efforts.

• External Threats: Overview of threats related to our external environment.

For each threat, the dashboard includes readiness indicators for:
    • Protection
    • Response
    • Recovery

• Internal Key Risk Indicators (KRIs):
    • Vulnerabilities
    • Endpoint protection (servers, workstations, and network)
    • Database security
    • Third-party risk
    • System hardening
    • Patch Management 

• Business-Critical Application Vulnerabilities
• Cultural Risk: Human factor and security awareness
• Penetration Test Results
• NIST Framework Adherence
• External Risk Score: Based on SecurityScorecard
• Critical and High Severity Incidents
• Cybersecurity Strategic Plan: Execution status and results
• Audit Findings and Outcomes

Director of Information Security in Healthcare and Biotech8 months ago

We focus on rolled up risks, phishing, vulnerability management and program risks. We try to reduce noise as much as possible, but they do creep in as board security awareness and desire for the right level of metrics is being baselined. 

VP of IT in Manufacturinga year ago

I suggest to look into the Gartner ODMs (Outcome-driven metrics) for Cybersecurity. We have adapted these 16 metrics, and one of the benefits is that it is possible to communicate them in an meaningful way for top management.
Other benefits are that they come as a pre-defined framework and that you can get benchmarks that at least in our case answers the the first question from leadership: How are others doing?

Lightbulb on2

Content you might like

Genuine strategy in cybersecurity.59%

Purely a marketing gimmick.33%

Unsure.7%

View Results

< 1 year4%

1 - 2 years37%

2 - 4 years40%

4 - 5 years11%

> 5 years6%

View Results