I’ve reviewed hundreds of cybersecurity metrics programs over the last 15 years. I’ve stated repeatedly, and confidently, two things:
No one can give you your list of metrics.
You should not use operational metrics with executive decision makers.
I was wrong.
It turns out I can tell you exactly what your metrics should be… and ironically, they are operational metrics. They are not particularly complex or sophisticated, they are just measuring the right thing: Value.
Gartner’s construct for outcome-driven metrics (ODMs) is ideal to measure cybersecurity value. ODMs measure a direct line-of-sight to protection levels (value) expressed as an operational outcome.
For example, “number of days to patch critical systems” is an ODM for threat and vulnerability management. It is both an operational outcome in which we can directly invest, and it has a direct line of sight to the value proposition of patching which is to reduce the amount of time that vulnerabilities are available for exploitation.
Gartner has more than 100 outcome-driven metric examples across 20 control classes that all share the same characteristics for measuring value delivery. They represent operational outcomes with a direct line of sight to the protection levels (value) created by the controls they measure.
We are benchmarking 20 of these.
We are doing a lot of metrics reviews with our clients. We can identify metrics that are OK as-is, ones that can be improved with the right characteristics, and ones you should just throw away because they’re worthless. Many of the ones we would identify as good are hidden because nobody understands their value.
You’re wasting your time on metrics that don’t guide priorities or investments in security and put it in a business context for your board. That’s an acid test for the value of a metric.
A second acid test is: are these metrics influencing any decision making? Because if they’re not, again, you’re wasting your time.
Enough Already, Just Give Me the Metrics
Here are 5 examples of cybersecurity value deliver metrics you should give to your board. Gartner clients have access to 20 of these that are being benchmarked globally and a catalog of more than 100 across 20 cybersecurity control classes.
- Time to Remediate Incidents: What is your average time (in hours) between incident ticket generation and ticket close for “critical & high priority” security incidents?
- OS Patching Cadence (Standard): What is your average time (in days) to apply critical operating system patches within your standard patch process?
- Risky 3rd Parties Engaged: What percentage of known third parties with poor security assessment results have been engaged by the organization?
- Phishing Reporting Rates: What is your percentage of people who report suspicious emails for your standard organization-wide phishing campaigns?
- Recovery Testing – Core Systems: What is your percentage of core systems supporting critical business/mission functions that have successfully completed full recovery testing in the last 12 months
Webinar and Benchmark Release
April 20, 2022, 11:00 AM ET: Webinar Make Cybersecurity a Priority Business Investment addresses this topic and more. This webinar is open to everyone and will be available for replay.
Note: This is one of the three unanswered board questions that drive cybersecurity investment. Visit Gartner's blog for more information. This article is republished with permission of Gartner
Paul Proctor is Distiguished VP Aalytst Gartner, Follow him on Twitter at