New

Our AI-first training platform is live – safe AI skills, tracked, certified, and audit-ready.

All Articles
Metrics
3 min read

Security Metrics That Actually Matter to the Board

Most security dashboards measure how busy the team looks, not whether the organisation is safer. Track these five – and retire the vanity ones.

Christina Arcane

It's easy to drown in security metrics. Tools generate them by the thousand, and most measure activity rather than outcomes – how many alerts fired, how many scans ran, how many emails were quarantined. They make a dashboard look busy. They tell a board nothing about whether the organisation is actually harder to breach this quarter than last.

A good metric answers a question someone is about to make a decision on. Here are five that do, plus the vanity numbers they should replace.

1. Phishing reporting rate (not click rate)Link to this section

Everyone obsesses over click rate. Reporting rate is the better number. Clicks tell you people are human; reports tell you your early-warning system works. A workforce that reports the suspicious email gives you minutes of warning on a live campaign. One that silently deletes it gives you nothing.

Click rate measures the mistake. Reporting rate measures the immune system.

2. Patch latencyLink to this section

How long does a known-critical vulnerability sit unpatched in your environment? This single number predicts more real-world risk than almost anything else, because most intrusions use a flaw that had a fix available. Track the time from patch-available to patch-applied on critical systems, and watch the trend, not just today's snapshot.

3. MFA and privileged-access coverageLink to this section

Two questions, one metric: what percentage of accounts have multi-factor authentication, and how many people hold standing administrative privileges? The first should be approaching 100%. The second should be smaller than your instinct says is convenient. Both are directly tied to how far an attacker can get with one stolen password.

4. Behaviour change, not training completionLink to this section

Completion percentage measures attendance. Track whether risky behaviour actually drops after you train: repeat-click trends, reporting speed, the size of your highest-risk group over time. A program that moves behaviour is worth funding. One that only moves a completion bar is theatre.

5. AI tool exposureLink to this section

The newest metric, and the one most boards are starting to ask about. Do you know which AI tools your organisation uses, who owns them, and what data they touch? "We have a complete AI register" versus "we have no idea" is a genuine risk signal – and a question your auditors, customers, and regulators will all arrive with. Measuring your shadow-AI footprint is now part of measuring your attack surface.

Tie every metric to a decisionLink to this section

MetricThe decision it informs
Phishing reporting rateWhere to focus awareness effort
Patch latencyWhether to invest in patch automation
MFA / privileged accessWhere the next access tightening goes
Behaviour changeWhether the training program earns its budget
AI tool exposureWhether AI governance needs attention now

Pick two to improve this quarter. Trying to move all five at once is how dashboards get built, admired for a week, and quietly abandoned. The goal was never a prettier dashboard – it was a safer organisation, and a board that can tell the difference.