[Cybersecurity Architecture] KPI, Metrics & Dashboards - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Friday, March 10, 2023

[Cybersecurity Architecture] KPI, Metrics & Dashboards

This post summarizes some Cybersecurity metrics for Board or Risk Committee Reporting. 

Why Metric Reporting?

  • Reporting leads to success
  • Providing overall status of cyber program and its impact on overall enterprise
  • Effective allocating of funding resources
  • Supporting regulatory reporting requirements
  • Quantify cyber resilience leading to reduced customer and shareholder risks
  • Provides the context for budget increases
  • Need to address current and future threats
  • Conveying information to board through metrics 
  • Frame within maturity, risk, cost

  • Must be actionable
  • Must have clarity
    • Is the cyber program working
    • Is the cyber program adequately funded
    • Is the cyber program reducing customer and shareholder risk
Common Goals
  • Literature review/survey - NIST, FFIEC, CIS, SOC, ISO
  • reportable Metrics - As per literature review
  • Appropriateness - Effective Decision Making

Cyber Metrics Development Process

  • Assess
  • Discuss
  • Research
  • Broader Discussion
  • Effective Cyber Metrics

Metric Examples

For Following Common Areas
1. Cybersecurity training
2. Spam / Phishing Email Management
3. Patches Management
4. Antivirus / Antispyware coverage
5. Incidents Management
6. Audits Management


  • https://www.youtube.com/watch?v=xwMY5LGsutY
  • How to Plan for and Implement a Cybersecurity Strategy - https://www.youtube.com/watch?v=u-EQHbqWY60
  • Cybersecurity reference architecture - https://learn.microsoft.com/en-us/security/ciso-workshop/ciso-workshop-module-1?view=o365-worldwide
  • The Chief Information Security Officer (CISO) Workshop Training - https://learn.microsoft.com/en-us/security/ciso-workshop/the-ciso-workshop

No comments:

Post a Comment