Security leaders need to measure and track the impact of cybersecurity efforts to identify areas that need attention, demonstrate value to stakeholders, secure ongoing investment, and build trust across leadership teams. But there’s no standard set of metrics to choose from — so how do you pinpoint the right metrics tailored to your business’s specific needs?
At the Okta CISO Forum, a group of more than 50 CISOs that meets regularly to swap best practices, security leaders shared the tools and metrics they’re using to evaluate their programs. Though their measurement approaches and specific KPIs vary, each uses a blend of qualitative narratives and quantitative data to tell a compelling story about the efficacy and return on investment (ROI) of cybersecurity initiatives.
Here’s a comprehensive look at the ways security leaders can measure the success of their security programs, backed by real-world examples.
Quantitative metrics: the numbers that drive success
Metrics serve as the bridge between technical implementation and business outcomes, enabling security leaders to demonstrate ROI, obtain buy-in, track progress, and establish accountability. Quantitative metrics are powerful because they convey data-driven insights in a language decision-makers understand.
1. Risk metrics
Reduction in identified risks measures how effectively your team is addressing your organization’s critical vulnerabilities over time. Risk assessment trends, meanwhile, demonstrate categories of improvement across annual or quarterly reviews, which can illustrate tangible progress.
“Every year, we do a risk assessment and show the progress in different categories within cybersecurity,” says Jane Domboski, CISO at OneMain Financial, a company that offers responsible access to credit. “Being able to show the board trends over time has been really helpful in explaining the value of what we're doing.”
2. Operational metrics
Mean time to detect (MTTD) and mean time to respond (MTTR) track the speed and efficiency of detecting and mitigating threats when they arise. Lowering MTTD and MTTR over time can indicate a maturing security program. Mean time to contain (MTTC), or the average time it takes to stop the spread of a threat, is another metric security leaders should strive to reduce to minimize the potential damage from threats. Mean time between failures (MTBF) is often used to measure the reliability of a system.
Vulnerability patching cadence measures how quickly your team applies patches to critical vulnerabilities compared to industry benchmarks. Meanwhile, incident reduction metrics monitor the decrease in security incidents (particularly medium and high-severity incidents) over time.
"Cyber resilience isn’t just about bouncing back from an event,” says Ken Collins, Sr. Director, Information Security at Sunbelt Rentals, a North American equipment and tool rental company. “It’s ensuring your business can continue delivering its mission even in the face of adversity, with preparedness and rehearsed expectations."
3. Service delivery metrics
Measuring service level agreement (SLA) adherence helps ensure that you’re providing security services to stakeholders within the agreed timeframe. It’s equally important to measure business impact metrics, such as how well your team avoids application or network outages during security deployments.
At Kyndryl, an IT infrastructure provider, CISO Cory Musselman says it’s about balance. “We’ve built a ‘cyber balance scorecard’ to measure our KPIs every quarter so we can show senior leadership and the board that we’re executing against our plan. From a customer experience perspective, that means evaluating how well we’re meeting our SLAs without introducing disruptions.”
4. Security awareness training metrics
Security awareness training metrics help evaluate the human element of your security program by assessing how effectively employees internalize security best practices and apply them in real-world scenarios. Ensuring that your workforce remains vigilant and well-informed about potential threats is a critical component of reducing risk. This can include completion rates for security training programs; awareness training assessment scores; phishing simulation click rates, which track the percentage of employees who click on simulated phishing links; and phishing report rates.
"Security awareness programs should emphasize reporting suspicious activity rather than punishing mistakes,” Collins says. “We’ve seen 'see something, say something' drive reporting rates up, which reduces risk organization-wide."
5. Financial metrics
Financial metrics can also be used to measure the success of your security program. For example, calculating the cost of incidents can demonstrate the savings achieved through proactive security measures. Measuring ROI will also quantify how specific tools or processes have improved security outcomes compared to their implementation cost.
Qualitative metrics: building the narrative
While quantitative metrics provide hard data, qualitative measures help tell the story behind the numbers. They contextualize security efforts, emphasizing areas where less tangible improvements still drive significant organizational value.
1. Alignment with frameworks
Many CISOs use cybersecurity frameworks such as the NIST Cybersecurity Framework (CSF) as a compass for measuring overall program maturity. While not a certification or official compliance framework, CSF provides a standardized approach to cybersecurity, helping to build confidence among stakeholders. To prove the ongoing value of a given framework, teams should regularly map their initiatives to its core pillars, such as the ability to identify, protect, detect, respond, and recover.
"Early on, success looks like adhering to some compliance standards or tackling risks identified in external audits,” Collins says. “But in a mature program, those become your baseline, and success evolves into addressing advanced threats through operational efficiency rather than heroism."
2. Stakeholder feedback
To optimize your cybersecurity programs for the future, gather feedback from other business units and stakeholders. How well does your program foster a culture of security awareness? How does it support data accessibility, system uptime, or timely threat remediation? Actively seeking and addressing this feedback demonstrates a commitment to collaboration and continuous improvement.
"A CEO saying 'good job' is an important metric, too,” Collins says. “It reflects confidence in your work and indicates your security program resonates with leadership's business priorities."
3. Talent metrics
CISOs are incorporating their team's performance and well-being into their overall strategy for measuring the success of their security programs. Important metrics to track in this area include employee retention and employee experience to ensure critical team members remain engaged. Additionally, CISOs should track efficiency gains to determine whether junior and less experienced team members are empowered with the tools they need to contribute more effectively.
As Musselman says, “On the talent side of cybersecurity, we look at retention, diversity, and employee experience because a strong, engaged team is at the heart of everything we do.”
From metrics to action
Measuring and communicating your security program’s successes is key to getting buy-in, proving value, and identifying areas for improvement — all of which can amplify the success of your program, in a feedback loop. Make sure to align your metrics with broader business objectives, leverage tools like balanced scorecards, and use frameworks such as NIST to guide your strategy.
If you’re just starting out, it’s OK to start small. "Start with something simple,” says Collins. “Even one metric can give you a foundation. Get it reliable before you expand. Trying to set up 15 metrics at once will give you noise, not insights."
By combining hard data with compelling narratives, you can effectively measure the success of your program while driving continuous improvements over time.
As Collins says, “Consistency, clarity, and communication are key. Speak their language, show your work, and don’t just measure your program — measure its impact.”
For more insights, check out our guide for CISOs on how to prove the ROI of cybersecurity.
