uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites,’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.


Implementing and Maintaining Security Program Metrics

Program Metrics Blog Header Image

Cybersecurity metrics are a pertinent part of measuring the successes and failures of your program and the effectiveness of your business outcomes. With so much invested in cybersecurity teams and infrastructure, demonstrating progress and ROI is very difficult – but is absolutely necessary! In addition, doing so helps to facilitate greater accountability, increased focus, clarity, improved relevancy, and reduced waste, ensuring effective decision-making, accelerated growth, increased visibility, improved performance that ultimately result in higher financial returns.

First Build Your Pyramid

Just having a list of cybersecurity metrics on a whiteboard doesn’t mean anything if every organization member doesn’t support it. 



Foundation: Stakeholder support. 

A strong commitment to information security within the highest levels of an organization’s executive management team helps protect the security program from organizational pressures and budget limitations. 

Level 1: Governance. 

Implementing information security policies and procedures that are enforced and backed by management are essential to the longevity and success of an effective information security program. 

Level 2: Quantify Performance Targets. 

Information security performance goals and objectives must be easily obtainable, feasible to measure, and repeatable. Performance targets provided should demonstrate performance trends and facilitate decisions for future resource investments.  

Level 3: Continuously Improve. 

All stakeholders and users must be committed to the accurate collection of meaningful and useful data in allowing for continuous improvements to the overall security program. 

Custom Fit 

Cybersecurity is not a one-size-fits-all dynamic. What works for one organization in one industry in one region of the world with a specific organizational structure will most likely not work for another that is in a different industry, geography and culture. All of these factors are critical to setting a solid foundation from which to work from. 

Much of the pre-work needed to determine what cybersecurity metrics to track and implement is due to understanding your business and where your greatest organizational risks lie. Making it a priority to understand your risk before composing a list of your information security objectives is a best practice to ensure you do not have metrics that do not support your business objectives. 

Example Security Metrics

*Note: This is an example and not to be considered an exhaustive list or necessarily applicable to your specific organization

  • Security Policy/Compliance Adherence
      • Regulatory control compliance
      • Firewall/network security audit data
      • Configuration compliance tracking
      • Compensation control (aka exception) tracking and documentation
      • The number of assets undercovered, decommissioned, and active
      • Security control validation assessment performance  
  • Training and Awareness
      • Hiring and churn metrics
      • Track employee completion statistics (mandatory, corrective, and optional training) 
      • Operational readiness level 
  • Vulnerability Data
      • Patching levels over time – volume, time to patch, vulnerability age, etc.  
      • Internal vs. external vulnerabilities ratio 
      • Vulnerabilities by criticality/severity/priority rating 
  • Monitoring and Response
    • Tool performance and availability metrics
    • Amount of data being collected by event type
    • # of events/alerts/etc. being collected
    • # of resulting “incidents” and data to incident conversions
    • Mean time-to-detect (MTTD)
    • Mean time-to-respond/remediate (MTTR)
    • MTTD (Mean Time To Detect) 
    • MTTR (Mean Time To Resolve) 
    • ADT (Average Detection Time) over a period of time
    • ACT (Average Containment Time) over a period of time
    • AET (Average Eradication Time) over a period of time
    • Net new security incidents by priority by business value sub-segment week over week
    • Weekly closed security incidents by priority and business value sub-segment week over week

Best of Breed Approach

Security Program Metrics & ROI Reporting with NopSec

Your program’s overall health and your tracking towards remediation benchmarks can both be put on display easily for your C-suite, the board of directors and other key stakeholders. NopSec helps you communicate your risk posture and the impact the team is having on it.

  • Demonstrate Security ROI – Increase the maturity level of your security and VM program
  • Improve Security IQ – Leverage machine learning to make better decisions faster and increase team effectiveness
  • Streamline Security Work – Enhanced collaboration and communication between Security and IT Operations team
  • Follow Best Practices – Gain visibility into company-wide cyber security risks and focus on fixing the most critical

NopSec has worked with leading security teams worldwide and we have helped many Security leaders develop and implement programs to improve, measure and demonstrate their security progress. Please feel free to reach out to us to discuss your own current metrics and how we can help you improve and mature your metrics program. Reach out and learn how to implement and improve your security program and ROI, request a demo today.

Schedule a Product Demo Today!

See how NopSec's end-to-end Cyber Exposure Management platform can organize your security chaos.