It's easy to drown in security metrics. Tools generate them by the thousand, and most measure activity rather than outcomes – how many alerts fired, how many scans ran, how many emails were quarantined. They make a dashboard look busy. They tell a board nothing about whether the organisation is actually harder to breach this quarter than last.
A good metric answers a question someone is about to make a decision on. Here are five that do, plus the vanity numbers they should replace.
1. Phishing reporting rate (not click rate)Link to this section
Everyone obsesses over click rate. Reporting rate is the better number. Clicks tell you people are human; reports tell you your early-warning system works. A workforce that reports the suspicious email gives you minutes of warning on a live campaign. One that silently deletes it gives you nothing.
Click rate measures the mistake. Reporting rate measures the immune system.
2. Patch latencyLink to this section
How long does a known-critical vulnerability sit unpatched in your environment? This single number predicts more real-world risk than almost anything else, because most intrusions use a flaw that had a fix available. Track the time from patch-available to patch-applied on critical systems, and watch the trend, not just today's snapshot.
3. MFA and privileged-access coverageLink to this section
Two questions, one metric: what percentage of accounts have multi-factor authentication, and how many people hold standing administrative privileges? The first should be approaching 100%. The second should be smaller than your instinct says is convenient. Both are directly tied to how far an attacker can get with one stolen password.
4. Behaviour change, not training completionLink to this section
Completion percentage measures attendance. Track whether risky behaviour actually drops after you train: repeat-click trends, reporting speed, the size of your highest-risk group over time. A program that moves behaviour is worth funding. One that only moves a completion bar is theatre.
5. AI tool exposureLink to this section
The newest metric, and the one most boards are starting to ask about. Do you know which AI tools your organisation uses, who owns them, and what data they touch? "We have a complete AI register" versus "we have no idea" is a genuine risk signal – and a question your auditors, customers, and regulators will all arrive with. Measuring your shadow-AI footprint is now part of measuring your attack surface.
Tie every metric to a decisionLink to this section
| Metric | The decision it informs |
|---|---|
| Phishing reporting rate | Where to focus awareness effort |
| Patch latency | Whether to invest in patch automation |
| MFA / privileged access | Where the next access tightening goes |
| Behaviour change | Whether the training program earns its budget |
| AI tool exposure | Whether AI governance needs attention now |
Pick two to improve this quarter. Trying to move all five at once is how dashboards get built, admired for a week, and quietly abandoned. The goal was never a prettier dashboard – it was a safer organisation, and a board that can tell the difference.