Reporting on Information Security Metrics That Matter to Executive Leadership

July 1, 2021 | By IANS Faculty

This piece provides information security teams with examples of metrics that matter to board members and executives along with guidance for presenting the data in a way that makes it easy for leadership to understand and act on.

We highlight the following meaningful information security metrics for teams to track for executive leadership:

  • Results of third-party penetration tests
  • Internal scans the information security team runs daily, weekly, and quarterly
  • Phishing campaigns run by year and performance metrics (susceptibility, etc.)
  • Plan of action and milestones (POA&M) metrics, including items per quarter, open items, etc.
  • Security event statistics

Reporting Information Security Metrics to Leadership

Consider sticking to reporting on items you can control. You can’t control how many attacks you face, how much email you receive, etc. If it’s not something you can control and improve, crafting a compelling story becomes difficult. When reporting on security metrics that matter to executive leadership, it is important to keep your eye on the goal. What is it you are trying to help leadership see and understand, and what actions are you hoping to spur? Figure out the stories you want to tell and the changes you want made, and then align your graphics to support that.

Reporting on Penetration Test Results

With penetration tests, teams usually need to show what was found and what the current state of remediation is. The cleanest way to do that is with a dual bar chart. Show the number of original findings and the number of findings left to remediate. We suggest displaying it as a function of spend, so it’s clear how the cost of remediation affects the status (see Figure 1).


chart showing pen test results by criticality cost and cost to remediate


In the above penetration test result chart, it’s easy to see the pen test report results that cost most are still left to remediate, perhaps due to budget constraints. You could use a similar chart to show time required in hours, which would help tell a similar story for resource constraints.

Reporting on Internal Vulnerability Scans 

Vulnerability scan metrics are usually presented in line charts. Let’s assume your organization has committed to a 15-day window to patch critical vulnerabilities, a 30-day window to patch highs and a 60-day window to patch mediums/lows. Consider using a red line to show the number of critical vulnerabilities that are still not patched 15 days out, an orange line to show the number of highs still not patched 30 days out and so on (see Figure 2).


chart showing vulnerability scan patch metrics


You might also want to present the number of vulnerabilities you don’t plan to address and why. This can be done in a way like the penetration test chart in Figure 1. Use one bar for criticals and cost numbers, whatever makes the most sense. List the projects and what you would need to do to fix them.

Reporting on Phishing Campaigns 

When it comes to reporting on the effectiveness of your phishing program, a good story to consider conveying to leadership might be that as the number of people attending phishing training increases, the number of people clicking on phishing emails drops. And that can be shown in a bar chart (see Figure 3).


chart showing phishing training attendance phishing emails clicked


You might also want to show this by business unit. Another interesting phishing metric is to show the number of users who are trained vs. those who click on phishing emails by type of campaign, e.g., a delivery service (UPS/FedEx) scam, mergers and acquisitions (M&A), taxes, spear-phishing, etc.

Reporting on POA&M Metrics 

POA&M metrics can usually be shown most easily in a simple trend line. An option here is to show the targets by quarter and whether those targets are met over time. Since each project will have different plans of action, they should each have their own graphic for reporting (see Figure 4).


chart showing poam metrics show targets met over time


Reporting on Endpoint & SIEM Ingestion Statistics 

In terms of ingestion into your SIEM, consider creating a graphic similar to the POA&M example, with a similar trend line showing non-critical servers vs. critical servers (see the Sumo Logic example in Figure 5).


chart showing sumo ingestion stats critical vs non critical servers


As for endpoint security metrics, consider using a pie chart as most individuals can read them easily, so there’s a good case to be made for usability.

Consider showing lost productivity by hours, using categories like malware rebuilds, phishing cleanup, investigation, and hardware failure (see Figure 6).


chart showing show endpoint stats in terms of lost productivity


Reporting on these by business unit is also a possibility, perhaps showing Business Unit 3 is losing the most time to malware rebuilds. If malware rebuilds are taking an increasing amount of time and contributing to increasing amounts of lost productivity, a case can be made for better blocking technology. The idea is to report on the pain points and show a complete picture of the situation.

Reporting on Security Events 

The idea here is to help executive leadership visualize the process. Consider using a stacked bar chart to present metrics on event occurrence, detection, containment, remediation, and strategic prevention for a variety of different events (see Figure 7).


chart showing security event stats can help visualize the process


Tips for Presenting Information Security Metrics to Executives 

When presenting metrics to the C-suite and other executive leaders, it’s important to be clear and keep your story front and center. To be successful:

  • Focus on what’s important. Try to avoid drowning the audience in data. Ensure each graphic helps add to the story you want to tell. If it doesn’t, don’t use it.
  • Try to avoid telling stories you can’t execute on. Figure out what you have capacity to work on for next four quarters and show graphics for that. Of course, if your executive leadership ask for certain specifics, report on those, but don’t bring in a truckload of data you can’t act on.


RELATED CONTENT:  How Information Security Leaders Can Engage the Board Effectively


Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.

Access time-saving tools and helpful guides from our Faculty.

IANS + Artico Search

Our 2024-2025 CISO Compensation and Budget Benchmark Survey is Live!

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.