Which cybersecurity metrics do you currently use with your board?

Security & GRCKPIs, Metrics & Reporting
5.4k viewscircle icon5 Comments
Sort by:
CIO in Energy and Utilities2 months ago

We use a combination of CSMA, BitSight, and milestones on our 3-year Cyber Maturity roadmap. Most metrics/benchmarks are merely a yardstick, and what's important is that your organization matures at a steady pace.

Lightbulb on1
Director of Information Security in Finance (non-banking)2 months ago

None at all.
Just talking about risk values and their progress (up - down) and costs.

Chief Information Security Officer2 months ago

Business Unit Contributions: All indicators are provided by individual business units, highlighting varying levels of cybersecurity maturity across the organization. This comparative view serves as a guide for prioritizing remediation efforts.

• External Threats: Overview of threats related to our external environment.

For each threat, the dashboard includes readiness indicators for:
    • Protection
    • Response
    • Recovery

• Internal Key Risk Indicators (KRIs):
    • Vulnerabilities
    • Endpoint protection (servers, workstations, and network)
    • Database security
    • Third-party risk
    • System hardening
    • Patch Management 

• Business-Critical Application Vulnerabilities
• Cultural Risk: Human factor and security awareness
• Penetration Test Results
• NIST Framework Adherence
• External Risk Score: Based on SecurityScorecard
• Critical and High Severity Incidents
• Cybersecurity Strategic Plan: Execution status and results
• Audit Findings and Outcomes

Director of Information Security in Healthcare and Biotech8 months ago

We focus on rolled up risks, phishing, vulnerability management and program risks. We try to reduce noise as much as possible, but they do creep in as board security awareness and desire for the right level of metrics is being baselined. 

VP of IT in Manufacturinga year ago

I suggest to look into the Gartner ODMs (Outcome-driven metrics) for Cybersecurity. We have adapted these 16 metrics, and one of the benefits is that it is possible to communicate them in an meaningful way for top management.
Other benefits are that they come as a pre-defined framework and that you can get benchmarks that at least in our case answers the the first question from leadership: How are others doing?

Lightbulb on2

Content you might like

The use of Generative AI in the textile and industrial sectors — for instance in fashion companies or in the creation of marketing content — carries significant risks if not supported by adequate detection and risk management tools. Generative models may unintentionally incorporate elements protected by intellectual property rights, such as registered styles, patented designs, or content belonging to other fashion houses.

A notable example is the “Studio Ghibli” case, where AI-generated works reproduced distinctive, protected features.

In this context, how should Risk Managers equip themselves to prevent and mitigate such risks, ensuring innovation while avoiding legal violations and reputational damage?

What were your org’s biggest motivations for implementing a cloud native application protection platform (CNAPP)? Pick the top 2.

Improve container security1%

Improve app security24%

Improve cloud security posture overall28%

Streamlining security operations15%

DevSecOps integration24%

Compliance needs6%

Reduce complexity1%

Something else

View Results

Which privacy KPIs does your company measure?

Brand trust26%

Transparency63%

Regulatory compliance53%

DSAR volumes15%

None, we don't have privacy related KPIs10%

View Results

Can you share any tips for new security leaders to identify blind spots in their organization? How have you approached this when starting a new role in the past?

Read More Comments

When you’re working on budgeting alongside your CISO, do you ever find that one perspective tends to take precedence over the other? How do you approach finding a balance and making collaborative decisions together?