Which cybersecurity metrics do you currently use with your board?

5.2k viewscircle icon5 Comments
Sort by:
CIO in Energy and Utilities21 days ago

We use a combination of CSMA, BitSight, and milestones on our 3-year Cyber Maturity roadmap. Most metrics/benchmarks are merely a yardstick, and what's important is that your organization matures at a steady pace.

Lightbulb on1
Director of Information Security in Finance (non-banking)21 days ago

None at all.
Just talking about risk values and their progress (up - down) and costs.

Chief Information Security Officer24 days ago

Business Unit Contributions: All indicators are provided by individual business units, highlighting varying levels of cybersecurity maturity across the organization. This comparative view serves as a guide for prioritizing remediation efforts.

• External Threats: Overview of threats related to our external environment.

For each threat, the dashboard includes readiness indicators for:
    • Protection
    • Response
    • Recovery

• Internal Key Risk Indicators (KRIs):
    • Vulnerabilities
    • Endpoint protection (servers, workstations, and network)
    • Database security
    • Third-party risk
    • System hardening
    • Patch Management 

• Business-Critical Application Vulnerabilities
• Cultural Risk: Human factor and security awareness
• Penetration Test Results
• NIST Framework Adherence
• External Risk Score: Based on SecurityScorecard
• Critical and High Severity Incidents
• Cybersecurity Strategic Plan: Execution status and results
• Audit Findings and Outcomes

Director of Information Security in Healthcare and Biotech7 months ago

We focus on rolled up risks, phishing, vulnerability management and program risks. We try to reduce noise as much as possible, but they do creep in as board security awareness and desire for the right level of metrics is being baselined. 

VP of IT in Manufacturinga year ago

I suggest to look into the Gartner ODMs (Outcome-driven metrics) for Cybersecurity. We have adapted these 16 metrics, and one of the benefits is that it is possible to communicate them in an meaningful way for top management.
Other benefits are that they come as a pre-defined framework and that you can get benchmarks that at least in our case answers the the first question from leadership: How are others doing?

Lightbulb on2

Content you might like

Yes, we have usage-based billing19%

Yes, I've considered it54%

No, I haven't considered it22%

I'm unfamiliar with "usage-based billing"2%

View Results

< 1 year4%

1 - 2 years36%

2 - 4 years41%

4 - 5 years11%

> 5 years6%

View Results