FACGFACG
How to actually measure security: a board-ready KPI and KRI sheet
All insights
Cyber security February 2026 5 min read

How to actually measure security: a board-ready KPI and KRI sheet

A one-page set of operational and risk indicators we use with our clients. You can copy it, adapt the thresholds and start reporting against it next quarter.

By FACG cyber team

Boards do not want a SIEM dashboard. They want a one-page summary of how exposed they are, whether the team is keeping up and where the money is being spent well or badly. Here is the KPI/KRI sheet we use with most of our managed-SOC clients. Copy it, adapt thresholds and use it next quarter.

Operational KPIs (how the team is performing)

  • Mean time to acknowledge (MTTA) for P1 alerts. Target: less than 15 minutes. Trend over 12 months.
  • Mean time to contain (MTTC) for confirmed incidents. Target: less than 4 hours for endpoint, less than 1 hour for identity.
  • Patch compliance rate for critical patches at 14 days. Target: 95 percent. Show breakdown by OS family.
  • Phishing simulation click rate. Target: less than 5 percent. Trend over 12 months.
  • Backup restore test success rate. Target: 100 percent. One restore test per critical system per quarter.

Risk KRIs (how exposed we are)

  • Number of internet-facing services without MFA. Target: 0. Hard fail.
  • Number of accounts in privileged groups (Domain Admin, Global Admin) without PIM/JIT. Target: 0.
  • External attack surface count (services, IPs, certificates) versus baseline. Target: trending flat or down.
  • Critical vulnerabilities older than SLA. Target: 0 internet-facing, less than 5 internal.
  • Number of users in elevated risk states in the last 30 days (Entra ID Identity Protection). Target: less than 1 percent of user base.

Programme indicators (how we are progressing)

  • Microsoft Secure Score (or equivalent). Target: improving by 5 percent quarter on quarter.
  • Open audit findings by age. Target: 0 over 90 days, less than 3 over 30 days.
  • Security training completion rate. Target: 95 percent within 30 days of joiner date.
  • ISO 27001 / Cyber Essentials Plus status. Target: certified, no major non-conformities.

Financial indicators

  • Cyber security spend as percent of IT budget. Benchmark: 8 to 14 percent for most sectors.
  • Cyber insurance premium trend. Target: flat or improving year on year.
  • Cost of incidents in the last 12 months (recovered + unrecovered + remediation cost).

What not to put on the board pack

  • Number of blocked emails or malware detections. Volume metrics are not risk indicators.
  • Specific tool dashboards (Sentinel, Defender, Wazuh). Boards do not need to see your console.
  • Long lists of acronyms without context.
  • Anything you cannot explain in plain English in under 30 seconds.

Related reading

What ISO 27001:2022 actually changed (and what it didn't)

Read article

Cyber Essentials Plus: the 12 things that fail organisations on first attempt

Read article

Have a question on this?

Book a 30 minute discovery call. We answer questions in plain English, with or without a follow-on engagement.

Book a call