14 Cybersecurity Metrics + KPIs You Must Track in 2023

When it comes to protecting sensitive data, preventing data breaches, and detecting cyber attacks, a checklist should be followed to track your efforts.

Key performance indicators (KPIs) are an effective way to measure the success of any program (including cybersecurity) and aid in decision-making.

According to PwC, just 22 percent of Chief Executive Officers believe their risk exposure data is comprehensive enough to form decisions. A figure that - alarmingly - hasn't changed in 10 years.

The EY Global Information Security Survey supports this with only 15% of organizations saying their information security (InfoSec) reporting fully meets their expectations.

In this post, we discuss 14 actionable cybersecurity metrics to help you take ownership of your risk identification and remediation efforts.

Why are Cybersecurity Metrics Important?

As Peter Drucker said, what gets measured, gets managed - and cybersecurity is no different. If you can't measure your security efforts, you won't know how you're tracking.

Cybersecurity is not a one-time affair. Cyber threats are constantly evolving and the processes and technology needed to prevent them are constantly changing. You need to have measures in place to frequently assess the effectiveness of the safeguards you have invested in.

This is important for two reasons:

  1. Analysis of KPIs, key risk indicators (KRIs), and security postures provides a snapshot of how your security team is functioning over time. Helping you better understand what is working and what is worsening, improving decision-making about future projects.
  2. Metrics provide quantitative information that you can use to show management and board members you take the protection and integrity of sensitive information and information technology assets seriously.

Reporting and providing context on cybersecurity metrics is being an important part of the job for many Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs), driven by increasing interest in reporting at the shareholder, regulatory, and board levels.

For many board members in sectors like financial services, they have a fiduciary or regulatory duty to manage cybersecurity risk and protect personally identifiable information (PII).

This has been driven by new regulations like the Gramm-Leach-Bliley Act, NYDFS Cybersecurity Regulation, PIPEDA, and CPS 234. Pair this with extraterritorial data protection laws like GDPR, CCPA, and LGPD and security management becomes a key focus for every organization.  

The best IT security professionals use metrics to tell a story, especially when giving a report to non-technical colleagues.

14 Cybersecurity KPIs to Track

Below are examples of clear KPIs and metrics you can track and present to your stakeholders:

1. Level of Preparedness

How many devices on your corporate network are fully patched and up to date? Vulnerability scans and vulnerability management is one of the 20 CIS Controls that can reduce the risk of vulnerability exploits.

2. Unidentified Devices on Internal Networks

Employees can introduce malware and other cyber risks when they bring in their own devices, as can poorly configured Internet of Things (IoT) devices, which is why network intrusion detection systems are an important part of your organization's security.  

3. Intrusion Attempts

How many times have bad actors attempted to gain unauthorized access? You may need to reference firewall logs to gather this intelligence.

4. Security Incidents

How many times has an attacker breached your information assets or networks?

5. Mean Time to Detect (MTTD)

How long do security threats go unnoticed? MTTD measures how long it takes your team to become aware of indicators of compromise and other security threats.

6. Mean Time to Resolve (MTTR)

What is the mean response time for your team to respond to a cyber attack once they are aware of it? A great measure of the quality of your incident response plan implementation.

7. Mean Time to Contain (MTTC)

How long does it take to close identified attack vectors across all endpoints?

8. First Party Security Ratings

Security ratings are often the easiest way to communicate metrics to non-technical colleagues through an easy-to-understand score.

UpGuard gives your company a simple A-F letter grade to assess cybersecurity posture based on 50+ criteria in real-time including network security, phishing risk, DNSSEC, email spoofing, social engineering risk, DMARC, risk of man-in-the-middle attacks, data leaks, and vulnerabilities.

Security ratings can feed into your cybersecurity risk assessment process and help inform which information security metrics need attention.

9. Average Vendor Security Rating

The threat landscape for your organization extends beyond your borders and your security performance metrics must do the same.

This is why vendor risk management and a robust third-party risk management framework is an essential requirement for security operations. UpGuard's Executive Summary Report provide you with instant access to your average vendor rating over the last twelve months, as well as your distribution of vendor ratings. Traditional vendor management practices were limited to a snapshot of your vendor security ratings at a single point in time. By continuously monitoring vendor risks, you can greatly reduce your third-party and fourth-party risk.

10. Patching Cadence

How long does it take your team to implement application security patches or mitigate high-risk CVE-listed vulnerabilities?

Cybercriminals often use threat intelligence tools and exploit the lag between patch releases and implementation. A great example of this is the widespread success of WannaCry, a ransomware computer worm. While WannaCry exploited a zero-day vulnerability called EternalBlue, it was quickly patched but many organizations fell victim anyway due to poor patching cadence.

11. Access Management

How many users have administrative privileges? Access control and the principle of least privilege are simple, cost effective methods of reducing privilege escalation attacks.

12. Company vs Peer Performance

The topic metric for board level reporting today is how your organization's cybersecurity performance compares to the peers in your industry. This information is easily digestible, visually appealing and highly compelling which makes it a top choice for board presentations. UpGuard's Executive Summary Report allows you to easily benchmark your security performance against four key industry peers over the last twelve months.

13. Vendor Patching Cadence

This metric involves determining how many risks your third-party vendor has and how many critical vulnerabilities are yet to be remediated.

14. Mean Time For Vendors Incident Response

A security incident isn't just a successful cyber attack, intrusion attempts to vendors can signify your organization as a potential target. The longer it takes vendors to respond to incidents, the higher the chance you will suffer from a third-party data breach. In fact, some of the biggest data breaches are result of poor vendor management.

How to Choose the Right Cybersecurity Metrics

There is no hard and fast rule for choosing cybersecurity KPIs and KRIs. These metrics will depend on your industry, organization's needs, regulations, guidelines, best practices and ultimately, you and your customer's appetite for risk.

That said, you will want to choose metrics that are clear to anyone, even non-technical stakeholders. A good rule of thumb is if your non-technical stakeholders can't understand them, you need to pick new metrics or do a better job of explaining them.

Benchmarks and industry comparisons are an easy way to make even complex metrics understandable.

And remember that one of the most important metrics is cost. Remember the goal of presenting to the executive team and board is to make a succinct point about how cybersecurity is saving the organization money or generating additional revenue.

This shouldn't be too hard to justify, given that the average data breach costs organizations $3.92 million globally and $8.19 million in the United States.

Outside of the metrics outlined above, the CIS Controls provide a cost-effective, prioritized list of security controls.

Cybersecurity KPI Tracking by UpGuard

UpGuard streamlines cybersecurity metric tracking with instant visibility into all the variables that matter to you and your executive team.

Learn more about UpGuard's executive reporting capabilities.


UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating