Latest Posts

[Cybersecurity Architecture] KPI, Metrics & Dashboards

This post summarizes some Cybersecurity metrics for Board or Risk Committee Reporting. 

Why Metric Reporting?

  • Reporting leads to success
  • Providing overall status of cyber program and its impact on overall enterprise
  • Effective allocating of funding resources
  • Supporting regulatory reporting requirements
  • Quantify cyber resilience leading to reduced customer and shareholder risks
  • Provides the context for budget increases
  • Need to address current and future threats
  • Conveying information to board through metrics 
  • Frame within maturity, risk, cost

  • Must be actionable
  • Must have clarity
    • Is the cyber program working
    • Is the cyber program adequately funded
    • Is the cyber program reducing customer and shareholder risk
Common Goals
  • Literature review/survey - NIST, FFIEC, CIS, SOC, ISO
  • reportable Metrics - As per literature review
  • Appropriateness - Effective Decision Making

Cyber Metrics Development Process

  • Assess
  • Discuss
  • Research
  • Broader Discussion
  • Effective Cyber Metrics

Metric Examples

For Following Common Areas
1. Cybersecurity training
2. Spam / Phishing Email Management
3. Patches Management
4. Antivirus / Antispyware coverage
5. Incidents Management
6. Audits Management


  • How to Plan for and Implement a Cybersecurity Strategy -
  • Cybersecurity reference architecture -
  • The Chief Information Security Officer (CISO) Workshop Training -

No comments