Could you please share the top 5 security metrics you measure for control effectiveness and board reporting?

Building on the remarks of Sean Higgins, there are certainly examples of metrics that can be presented, of course with appropriate context;

e.g. 

- Incidents; Number / Time to detect / Time to resolve
- Vulnerabilities; Average score per device category / Time to resolve
- Maturity or Compliance; Using whatever framework you agreed to (e.g. NIST-CSF) or relevant legal requirements
- Awareness Training; tricky one, but metrics like frequency / click rate give at least some insight
- Access management; the degree to which the JML-Process works as intended 
- Recover capability; insight into the number of hours/days to restore critical functionalities
Again, none of those metrics should become an absolute goal, but they help give some level of repeatable and objective reporting.

Metrics are very dependent on your business and where you are in your security life cycle, but one question you should be asking yourself whenever developing metrics is "how can I influence this metric?" To extend that, when talking to the board, "what decision can they make based on this metric?"

A lot of times, I have seen people give metrics using the number of vulnerabilities they have found in their environment. Well, you cannot influence that number. That number is based on how good the hackers are. What you can influence is how quickly you can remediate those vulnerabilities and set a mean time to remediate measurement and goal.

And, if remediation is taking too long, you can go to the board/senior management and ask them to accept the risk of how long it takes to remediate the vulnerabilities, give you money to hire more people to reduce the time to remediate, or buy some technology to help you automate the process, etc. Something they can act on.