Security Metrics That Actually Matter

Many security metrics measure activity, not outcomes. I once worked with a company that proudly reported patching 10,000 vulnerabilities in a single quarter. It sounded impressive until I discovered that 95 percent of those patches were on non-critical development machines, while their internet-facing production servers still had critical vulnerabilities from six months prior. The metric showed activity, not security improvement. Focus on what actually indicates security posture, and you will make better decisions about where to invest your limited budget.

Vanity Metrics to Avoid

These metrics look impressive on a slide but tell you almost nothing about your actual security posture.

• Number of vulnerabilities found - More could mean better scanning coverage or a deteriorating environment. Without context, this number is meaningless. I have seen teams celebrate finding more vulnerabilities year over year, not realizing this indicated their remediation program was failing.
• Patches applied - Counting patches without considering which systems were patched or the criticality of vulnerabilities addressed creates a false sense of security.
• Training sessions completed - Completion rates tell you nothing about whether behavior changed. I have tested organizations with 100 percent training completion that still had 40 percent phishing click rates.
• Tools deployed - Some of the most secure organizations I test have relatively few tools, well-configured and monitored. Some of the least secure have dozens generating alerts nobody reads.

Meaningful Metrics

These metrics actually correlate with improved security outcomes.

• Mean time to detect (MTTD) - During red team engagements, I track how long it takes clients to detect my activities. I have operated inside networks for weeks without detection, and been caught within hours in others. The difference is almost always attributable to detection capability maturity.
• Mean time to respond (MTTR) - Detection without response is meaningless. Track time from detection to containment, then containment to full remediation. These numbers should decrease over time.
• Critical vulnerability exposure time - How long do critical vulnerabilities remain unpatched on production systems? This measures the window of opportunity for attackers.
• Phishing click rate trends - Not the absolute number, but the trend. A 15 percent rate that was 30 percent last year shows genuine improvement. Track reporting rates too.
• Attack surface reduction - Track internet-facing services, open ports, expired certificates, and abandoned applications over time.

Leading vs Lagging Indicators

• Leading indicators - Predict future issues: coverage gaps in vulnerability scanning, percentage of systems without endpoint detection, age of unreviewed firewall rules.
• Lagging indicators - Measure past events: incident count and severity, breach costs, penetration test results. Important for understanding what happened but insufficient for predicting what will happen.

Reporting Frequency

• Executive dashboards: monthly - Three to five key metrics with clear trend arrows showing whether the program is moving in the right direction.
• Operational metrics: weekly - Patch status, alert volume, incident response activities, and scanning coverage for the security team.
• Incident metrics: as needed - Real-time dashboards during active incidents, detailed post-incident metrics during retrospectives.

Building a Metrics Program

Start small. I have seen organizations attempt to track 50 metrics simultaneously and end up tracking none well. Choose three to five metrics aligned with your most significant risks and measure those consistently for six months before adding more. Ensure automated data collection because manual metrics are unsustainable. Most importantly, act on the data. Every metric should have a defined threshold that triggers a specific action.

Using Pentest Results as Metrics

I provide regular clients with year-over-year comparisons showing finding counts by severity, remediation rates for previously identified vulnerabilities, and time required to achieve initial compromise. When a client who previously fell to phishing in 10 minutes now detects and blocks my attempts, that tells a far more meaningful story than any compliance checkbox. These trends demonstrate tangible return on security investment.