Panaseer announced guidance on best practice cybersecurity measurements to help avoid incidents. Currently, there is limited industry guidance around the most important metrics to evaluate, and how to standardize calculations and policies as part of a high-quality security metrics program. With the right metrics organizations improve visibility into and raise their security posture, helping to limit exposure to successful attacks, such as ransomware, or vulnerabilities including FireEye or SolarWinds. 

Among highly regulated, global organizations, Panaseer has determined that the top ten most frequently used security metrics are (in order of popularity): 

  1.      Vulnerability remediation SLA compliance
  2.      Endpoint detection SLA compliance
  3.      Vulnerability scan coverage
  4.      CMDB inventory completeness coverage
  5.      Endpoint detection coverage
  6.      Vulnerability outlier analysis
  7.      Active Directory enrolment coverage
  8.      Application security scan coverage
  9.      Application security SLA compliance
  10.   Active employee leavers

The Metrics Catalogue has been curated from a wide community of customers, industry experts, framework organizations such as NIST and in collaboration with the Center for Internet Security (CIS). The proposition also provides recommendations to enable security teams to instantly improve their security metrics program overall via metric groupings that include a ‘getting started’ collection, a peer-based recommendation collection, a customer favorites collection, and access to newly emerging metric suggestions.

The company is also sharing best practices with the broader industry, through a new free resource, in a ‘Security Metrics Hub.’ It includes advice and educational security measurement material aimed to help enterprises overcome the challenge of determining the most impactful metrics for their program. 

CCM is fast becoming a required capability for regulated enterprises. The technology is solving one of the biggest challenges in cybersecurity today – enterprises do not know if their security controls are providing full protection at any given moment. Last year CCM was included as a new category in Gartner’s Risk Management Hype Cycle.

Last year Panaseer commissioned a study of 400 security leaders* working in large financial services companies. The vast majority (96.77%) of respondents claimed they use metrics to measure their cyber posture. However, less than half of respondents (47.75%) could claim to be ‘very confident’ that they are using the right security metrics. 

For more information on the 10 most popular security metrics, please see: