Choosing cybersecurity metrics that matter



Chief information security officers (CISOs) may have hundreds of cybersecurity metrics to manage, but only a fraction of those will be relevant to the board and C-suite. A good CISO has to distill data into an easy-to-understand dashboard and communicate risk to a board that doesn’t want complex technical details.

With data coming from many directions and leadership expecting the CISO to make sense of it all, choosing metrics that are aligned with organizational goals is essential. Here are some ways to select the cybersecurity metrics that will matter most to the board.

“CISOs should speak to cybersecurity risk as a strategic business opportunity, instead of making it all about operational risk.”

  • Focus on the data that drives decisions

    Don’t track metrics simply for the sake of tracking metrics. If a metric isn’t enabling business decisions or influencing behavior, don’t waste your time on it.

  • Establish a baseline of what is a low, medium, and high risk

    Despite cybersecurity risk frameworks like NIST, there is little standardization in information security. Based on your organization’s policies and risk appetite, you can set up a baseline and thresholds to help you prioritize risks (and easily articulate them in the boardroom). We dive deeper into cybersecurity risk management in our eBook, CISOs in the boardroom.

  • Organize metrics by departments

    From governance to security ops, separating data this way can actually bring the organization closer together. When you get buy-in from leaders and managers and have more eyes on the data, you end up with powerful insights.

  • Look at the speed of risk reduction

    It’s important to go beyond basic “count” metrics. For example, rather than reporting the number of critical vulnerabilities, focus on the number that are still open after 60 days.

  • Use the right technology

    Can you merge data from different tools—not just security and GRC tools, but ERP systems? It’s essential that your tech solution is able to process data through an analytics engine, put it on a schedule, and create storyboards. Learn how you can effectively manage security operations with our centralized cybersecurity management solution.

  • Be prepared to compare

    The board will often want to know how your organization’s security posture stacks up against the competition. Using a tool like BitSight Security Ratings, you can see (and share) the security score of your organization, competitors, and the industry overall.

Presenting cybersecurity risks to the board

CISOs should speak to cybersecurity risk as a strategic business opportunity, instead of making it all about operational risk. Similarly, metrics should be actionable and aligned with the organization’s objectives. Metrics aren’t just numbers. They’re a chance to tell a story about your organization’s past, present, and future, so make it an interesting and valuable one for your audience.


CISOs in the boardroom

In this eBook, you’ll discover:

  • The top six challenges facing CISOs today.
  • What’s defining our current cyber-risk landscape.
  • Strategies to win more budget and capacity for your cybersecurity function.
  • Common questions to anticipate from the board (and how to respond to them).

Download eBook

Related Articles


Galvanize is now part of Diligent.

To stay up to date on the latest product offerings, research and GRC resources please visit or to login to your Galvanize products please visit

Visit Diligent Login