A sensational title

Why Security Controls Metrics matter - and how to measure them

Measuring control effectiveness requires the right metrics — ones that are consistent, contextualised, and connected to business risk. This catalog documents every security control metric in the Panaseer platform across eleven domains, giving you a complete reference for your team's control KPIs, audit evidence, and board reporting.

What are cybersecurity control effectiveness metrics?

Cybersecurity control effectiveness metrics are quantifiable data points used to measure, track, and assess an organization's security posture and risk level.

They identify risk, validate the performance of security tooling, and support compliance. For many organizations, they are often broken down into Key Performance Indicators (KPIs), Key Risk Indicators (KRIs), and Key Control Indicators (KCIs) - and are more commonly referred to as control KPIs.

Measuring control performance across multiple cybersecurity domains Bringing data from disparate systems together

Continuous Controls Monitoring (CCM) platforms - such as Panaseer's - provide automated cybersecurity data analytics, designed to measure risk and reduce control failures.

Panaseer provides control effectiveness metrics and measures across eleven cyber control domains:

  1. Device and Coverage
  2. Vulnerability management
  3. Endpoint Protection
  4. Patch Management
  5. Application Security
  6. Identity and Access Management
  7. Privileged Access Management
  8. User Awareness
  9. Cloud Configuration
  10. Infrastructure Configuration
  11. AI Governance

The Panaseer platform provides daily objective insights into controls coverage, effectiveness and performance. This helps to address hidden risks, strengthen governance, speed up compliance reporting, and maintain continuous audit readiness.

We ingest data from security, IT and business tools, creating connections and relationships between previously disparate data points, even where there were missing data fields previously. The output is a clear view of control owners and the assets they’re accountable for. This is mapped to an objective measurement of controls effectiveness and the criticality levels determined by business factors such as services, division or region.

Panaseer's Data Management Centre gives you visibility into the flow and health of your connected data

Cybersecurity metric types Surfacing insights you can act upon

There are five different types of cybersecurity metrics within the Panaseer platform, designed to surface different levels of insights.

  1. Informational. Informational measures are straightforward counts and sums. For example, total number of vulnerabilities, or total number of Windows 7 machines. They are the building blocks for more complex measurements.
  2. Diagnostic. If you have identified areas of sub-par performance using policy metrics, diagnostic metrics provide more in-depth insight that helps you to narrow down the root cause and quickly identify actions that help reduce risk.
  3. Policy. Policy metrics allow you to track adherence to your internal policies. This can be your organization’s unique policies configured in the platform or compliance with regulatory standards and established frameworks.
  4. Coverage. Coverage metrics provide essential context for any performance measures. It’s measurement best practice track the coverage and completeness of the data sources. For example, a vulnerability scanner will only provide data on devices it scans, so you need to know what it isn’t scanning.
  5. Compound Risk. Compound risk metrics combine metrics from across multiple domains to identify “toxic combinations” of risks and control failures. For example, they allow you to prioritize patching critical vulnerabilities on devices that don’t have an endpoint solution in place. This is combining metrics from our patch, vulnerability and endpoint domains so you can focus on specific attack paths.

There are over 250 metrics available in the Panaseer platform

Asset types and inventories Creating trusted asset inventories is the foundation for any cybersecurity reporting

Panaseer’s metrics and measures are underpinned by comprehensive, interlinked asset inventories. This enables you to take a flexible approach, pivoting metrics to focus on different asset types.

  1. Devices. These assets include user devices, servers, virtual machines, mobile devices, IoT, cloud infrastructure.
  2. People. People assets cover everyone from contractors to permanent staff, with information about their title, line manager and other relevant context, such as any assets and applications they own.
  3. Applications. Application assets include in-house, business critical applications such as payment systems, and trading systems.
  4. Accounts. This includes those across Windows, Linux and Unix, both centrally managed (e.g. via Active Directory) and local, both on-prem and in the cloud.
  5. Databases. This covers any database that support your business applications, including information directly from the systems themselves or from administration tooling.

Cybersecurity Controls Scorecard overview

NIST cybersecurity framework (CSF) v2.0 dashboard

Metric dimensions The properties needed to effectively analyze your cybersecurity metrics

ll metrics can be pivoted and filtered by many dimensions to focus on different asset types or areas of the business. For example, you can explore the % of outstanding out-ofpolicy patches (patch focused) and the % of devices with outstanding out of policy patches (device focused).

This capability can handle complex filters using different values to analyze different subsets of your assets, allowing you to see an overall measure of policy compliance. For example, you may have set an internal standard of applying patches within 30 days for servers hosting business critical, internetfacing applications and within 90 days for all other servers. Different standards (or filters) can be applied based on various combinations of dimensions, such as device type, device criticality, vulnerability severity and other factors, based on your risk appetite.

Below are some common dimensions used by CISOs, InfoSec Directors and Heads of GRC when analyzing their metrics data:

  • Business - organizational. Division, Business Unit, Department, Team
  • Business - geographical. Region, Country, City
  • Devices. Device type, Operating system type, Device criticality, Network location, Functional role
  • People. Job title, Job category, Employment type, Line manager
  • Applications. Category, Owner, Confidentiality, Availability, Environment type
  • Accounts. Account type, Status (active/disabled).

Metric visualizations Turning metrics into tangible results that are simple to digest

To help make the data easy to understand, users of Panaseer have the ability choose the type of visualization that’s best suited to each metric, using our suite of best practice options.

Some examples include metric cards, stacked column chart, stacked bar chart, multi-line time series chart with thresholds, spark line trellis chart with thresholds, interactive table, and heatmap.

View all Panaseer's metrics