Security teams love to report metrics. Dashboards full of vulnerability counts, scan frequencies, and patch rates. But most security metrics are noise — they measure activity, not outcomes. They tell you that security is busy, not that your organization is actually more secure.
As a CTO, you need metrics that answer one question: Is our security posture improving or degrading?
The Metrics That Matter
1. Mean Time to Remediate (MTTR)
criticalThe single most important security metric. How long does it take from vulnerability discovery to fix deployment?
MTTR Breakdown
Discovery to Triage
Time from when a vulnerability is identified (via scanning, audit, or incident) to when it's assessed and prioritized. Target: under 24 hours for Critical, under 3 days for High.
Triage to Fix
Time from prioritization to a developer completing the fix. This measures your team's security responsiveness. Target: under 3 days for Critical, under 2 weeks for High.
Fix to Deployment
Time from fix completion to production deployment. If this is slow, your deployment pipeline needs work — security fixes shouldn't wait for the next release train.
Total MTTR
The end-to-end number. Industry average for critical vulnerabilities: 60 days. Top-performing teams: under 7 days. If your MTTR is trending up, your security posture is degrading regardless of what other metrics say.
ℹ️MTTR by Severity
Track MTTR separately for each severity level. A fast MTTR on Low findings but slow on Critical findings is worse than a moderate MTTR across the board. Weight your reporting toward Critical and High — those are the vulnerabilities attackers exploit.
2. Vulnerability Density
Track the number of vulnerabilities per unit of code or per application, over time:
Per Release
How many vulnerabilities are found in each release? Is the trend going up (more bugs per release) or down? This measures whether your secure development practices are improving.
Per Application
Which applications have the highest vulnerability density? This identifies where to focus security investment — additional training, more thorough reviews, architectural improvements.
By Vulnerability Class
What types of vulnerabilities are most common? If you keep finding SQL injection, your developers need training on parameterized queries. Pattern analysis drives targeted improvement.
New vs Recurring
Are you finding new vulnerability types, or the same ones over and over? Recurring vulnerability classes indicate systemic issues — as we discussed in post-audit maintenance, systemic fixes are more durable than one-off patches.
3. Security Debt
Like technical debt, security debt accumulates when you accept known risks:
Vanity Metric
- •Total vulnerabilities found (bigger number = more scanning, not more risk)
- •Number of scans run (activity, not outcome)
- •Percentage of assets scanned (coverage without context)
- •Number of security tools deployed (tool sprawl ≠ security)
Actionable Metric
- •Open Critical/High vulnerabilities past SLA (actual current risk)
- •MTTR trend over last 4 quarters (improving or degrading)
- •Critical assets without recent security assessment (blind spots)
- •Percentage of findings fixed vs accepted as risk (risk appetite)
⚠️The Vulnerability Count Trap
"We found 500 vulnerabilities this quarter" is not useful information. Were they Critical or Informational? Were they in production-facing systems or internal tools? Did you fix them or just count them? Raw vulnerability counts are the most common vanity metric in security reporting.
4. Coverage Metrics
You can't protect what you don't test:
Security Coverage Dimensions
Asset coverage
What percentage of your applications, APIs, and infrastructure have been security tested in the last 12 months? Unknown or untested assets are your biggest risk — you can't have findings if you never look.
Test depth
What level of testing has each asset received? Automated scanning only? Manual penetration testing? Full audit with business logic review? Higher-value assets need deeper testing.
Pipeline coverage
What percentage of code changes go through security scanning before deployment? If developers can bypass the security gates in CI/CD, your pipeline coverage is lower than you think.
Third-party coverage
What percentage of your third-party dependencies and integrations have been security-assessed? Supply chain attacks exploit the gaps in third-party coverage.
5. Incident Metrics
If prevention metrics tell you how well you're building defenses, incident metrics tell you how well those defenses work:
Mean Time to Detect (MTTD)
How long between an attacker gaining access and your team detecting the intrusion? Industry average: over 200 days. This is the metric that keeps CISOs up at night.
Mean Time to Contain (MTTC)
Once detected, how quickly do you contain the incident? This measures your incident response effectiveness — as we covered in our Incident Response Playbook, preparation determines speed.
Incident Recurrence
Do similar incidents happen repeatedly? Recurring incidents indicate that root causes aren't being addressed. Each incident should result in systemic improvements that prevent recurrence.
Blast Radius
When incidents occur, how much is affected? Smaller blast radius indicates better segmentation and access control. This is an architectural metric — measured in incidents but improved in design.
Building the Dashboard
The CTO Security Dashboard
Top-line health (updated daily)
Three numbers: Open Critical vulnerabilities (should be 0), Open High vulnerabilities past SLA, and overall MTTR trend (up/down arrow). If these three are healthy, your security posture is likely strong.
Trend analysis (updated monthly)
MTTR by severity over last 4 quarters. Vulnerability density per release over time. Coverage percentage across all assets. These trends tell you whether investments in security are paying off.
Risk register (updated quarterly)
Known accepted risks with their business justification and review dates. Untested or under-tested assets prioritized by business criticality. Third-party dependencies with known vulnerabilities. This is your security debt ledger.
Metrics for Web3 Projects
Web3 projects need additional metrics specific to their risk profile:
Web2 Metric
- •Vulnerability count by severity
- •Deployment frequency with security gates
- •Third-party library CVE count
- •Incident response time
Web3 Equivalent
- •Audit findings by severity + TVL at risk
- •Contract deployments with full audit coverage
- •DeFi protocol dependency risk (oracle, bridge, composability)
- •Time from exploit detection to pause/mitigation
As we covered in The Real Cost of Ignoring Smart Contract Security, the financial impact of security failures in Web3 is immediate and often irreversible — making proactive metrics even more critical.
Communicating Security to the Board
Lead with Risk, Not Activity
Don't report scan counts. Report: "We have X Critical vulnerabilities in production-facing systems, down from Y last quarter. Our mean time to fix Critical issues is Z days."
Benchmark Against Standards
Compare your metrics to industry benchmarks. SOC 2 requirements, your specific compliance frameworks, and industry averages provide context — as we discussed in SOC 2 compliance, these standards define baseline expectations.
Show ROI
Connect security investment to metric improvements. "After implementing automated scanning, our MTTR for High findings decreased from 45 days to 12 days." Concrete improvements justify continued investment.
Be Honest About Gaps
Report what you don't know — untested assets, coverage gaps, accepted risks. Boards respect transparency and can't make informed decisions without complete information.
💡Start Simple
Don't try to track everything at once. Start with MTTR for Critical/High findings and coverage percentage. These two metrics alone tell you more about your security posture than a dashboard of 20 vanity metrics. Add complexity only when you can act on the additional data.
Want better security metrics? Our Web Security Auditor provides continuous vulnerability data with severity trending, and our Smart Contract Auditor tracks audit findings with TVL-weighted risk scores. Our expert review includes a security posture assessment that establishes your metric baselines. Start measuring what matters.