2.3: Metrics Worth Tracking

Metrics Worth Tracking

Most security dashboards are decorative. They show numbers that move, charts that go up and to the right, and a posture score that impresses a board that doesn’t know what it’s looking at. The numbers are real; the signal is fiction.

A good metric has three properties: it’s hard to fake without making the program better, it correlates with real breach outcomes, and it changes when the program changes. Most vendor-supplied dashboard numbers fail at least one of those. Here’s a short list that passes all three.

Four metrics that mean something

1. Time-to-patch for KEV, measured against an SLA.

CISA publishes the Known Exploited Vulnerabilities (KEV) catalog — CVEs that are actively being exploited in the wild. There are around a thousand of them, growing weekly. Your program should have an SLA for patching KEV entries on exposed systems (30 days is a defensible target; the federal mandate for civilian agencies is two weeks).

The metric: percentage of KEV entries on your asset base that are patched within SLA. This one number pressure-tests your asset inventory (do you know where the software lives?), your patching cadence, your exposure model (internet-facing vs. internal), and your prioritization. If it’s above 90%, you have a real vulnerability management program. If it’s below 50%, you don’t — regardless of what other tooling you’ve bought.

2. MFA coverage on privileged accounts.

Percentage of accounts with admin, root, or elevated privileges that have MFA enforced (not optional, enforced — and ideally phishing-resistant: FIDO2 or platform authenticators, not SMS). Target: 100%. Anything below is the attack path.

This is a single query against your identity system. If you can’t run it, or it takes more than a day to produce, that’s a Module 1 People-pillar finding you’ve just surfaced.

3. Mean time to detect — in exercises.

Real incidents are too rare in most orgs to give you a statistically useful mean time to detect. A 120-person SaaS company might have one or two real detected events a year. Real incidents that should have been detected and weren’t are even harder to measure — by definition, you missed them.

So measure detection in exercises instead: red-team engagements and tabletops with specific “did we see it?” checkpoints. How long from the simulated action to the first alert that actually reached a human who understood what it meant. That number tells you whether your detection capability exists. It degrades gracefully when the real thing happens.

4. Backup restore test pass rate.

Did the last three restore tests work? Not “did we run them” — did the restored data come back correct, intact, and in the RTO the business expects. If you haven’t run a restore test in the last quarter, your backup program is theoretical. Schrödinger’s backup: not a real backup until it’s observed to restore.

Three metrics that lie

Phishing click rate. Gameable on both ends. Tells you about this quarter’s phishing test, not about breach likelihood.

“Blocked X thousand attacks.” Vendor theater. Counts firewall denies, EDR detections on port scans, WAF rule hits on script kiddie traffic. Big number, zero meaning. The attacks that matter are the ones you didn’t block — and those are by definition not in this count.

Compliance score. A percentage against a control checklist. A compliance score of 98% tells you that 2% of controls are missing on paper. It does not tell you whether the 98% that are “in place” actually work. Ask any auditor off the record: the compliance artifacts say yes; the evidence is usually thinner.

If you can only report one metric up

Make it time-to-patch for KEV, against a 30-day SLA. One number, updated monthly. It pressure-tests five of your six pillars: you can’t do well on KEV patching without a People program (who owns the systems), a Devices and Systems program (what’s deployed, how it’s managed), a Data program (what the exposure radius is), and an Incidents program (what happens when you miss one).

Boards don’t need dashboards. They need a short list of numbers they can ask about quarter over quarter. Start with one that matters.