Hard2bit
← Back to blog

Cyber Resilience Dashboard for the Board: 12 Actionable KPIs That Drive Decisions

By Adrián González · CEO · Published: 06 June 2026 · Updated: 06 June 2026
Compliance & GRC
Cyber resilience board dashboard with 12 KPIs

Boards don't want more security metrics; they want fewer, better ones. What lands as "100+ slides of CVSS heatmaps and patching SLAs" produces glazed eyes and zero decisions. What works is a small set of indicators that map directly to business risk, that the board can ask intelligent questions about, and that change the budget conversation.

This article is a practical board dashboard with 12 actionable cyber resilience KPIs for enterprise leadership — what to measure, how to present it, and how to use it to drive decisions rather than just report status. It's the dashboard we use with audit and risk committees in financial, healthcare and critical-infrastructure clients. It maps cleanly to NIS2, DORA and ISO 27001 expectations on board-level oversight of cyber risk.

What a Board should — and shouldn't — measure

Wrong metrics:

  • Number of attacks blocked. Vanity, attacker-driven, not under our control.
  • Patching compliance rate. Operational, not strategic. Belongs in committee, not Board.
  • Security awareness completion percentages. HR metric, not Board-level.
  • Number of vulnerabilities open. Volume is not maturity; without context it's noise.

Right metrics:

  • Residual risk on critical business services — quantifiable, decisionable.
  • Coverage of crown jewels by minimum controls — gap analysis the Board can act on.
  • Time to detect and contain incidents — operational maturity at a glance.
  • Third-party risk concentration — supply chain visibility.
  • Tested recovery capability — "can we actually restore?" not "do we have backups?".

Design principles for the dashboard

  • Few metrics, well-defined. 12 is the upper bound; less is better.
  • Trend, not snapshot. Direction matters more than point-in-time number.
  • Business outcome anchored. Every KPI ties to a business service or risk category.
  • Comparable to risk appetite. Each KPI has a threshold the Board approved.
  • Actionable. If a KPI moves the wrong way, there's a defined decision the Board can make.
  • Sourced and defensible. Every number has a method and an owner.

The 12 actionable cyber resilience KPIs

1) Residual cyber risk in critical services

Quantified risk (in monetary or scaled units) for each Tier 1 business service after controls are applied. Includes likelihood × impact estimates per scenario, aggregated by service. Useful comparison against the Board's risk appetite per service.

Decision the Board can take: approve risk acceptance, request additional investment for services above threshold, or accept that residual risk is within tolerance.

2) Coverage of critical assets by minimum required controls

Percentage of crown-jewel assets that have the minimum approved control baseline implemented (encryption, identity, monitoring, backup, IR coverage). Target: >95%. Gaps are operational, but the trend is strategic.

Decision: if coverage drops below threshold, approve remediation timeline and resource.

3) Critical vulnerabilities exposed beyond SLA

Count of validated critical exposures (KEV-listed, exploited in the wild, or with EPSS > 0.7) open past their tier-1 SLA. Target: 0. Persistent non-zero means the vulnerability management programme has a capacity problem.

Decision: approve additional remediation capacity, or change the prioritisation thresholds.

4) Mean Time to Detect (MTTD) for relevant incidents

Median time from initial compromise to detection across the last quarter's incidents above severity threshold. Useful only if the SOC is mature enough to measure it consistently. Target depends on industry: financial <1h, manufacturing <8h.

Decision: invest in detection capability (telemetry, SOC tooling, hunting) if MTTD is degrading.

5) Mean Time to Contain / Eradicate (MTTR)

Median time from detection to containment and from containment to eradication. Separates "we saw it" from "we stopped it". Target depends on the incident response maturity: containment <4h is realistic for organisations with a 24/7 SOC.

Decision: invest in IR capability, retainer or playbook gaps if MTTR is excessive.

6) Rate of incidents impacting service continuity

Number of incidents per quarter that caused measurable degradation or outage of a Tier 1 service. Distinct from "incidents detected" — this is the subset that actually hurt the business. Target: trending down.

Decision: evaluate whether the residual risk model needs adjustment, or whether specific service controls need strengthening.

7) Recovery testing compliance (backup / restore / DR)

Percentage of Tier 1 services with documented and successfully tested recovery procedures in the last 12 months. Untested backups have a way of failing on the day they're needed. Target: 100% tested annually, critical services semi-annually.

Decision: authorise additional DR investment if recovery capability is unverified.

8) Third-party risk with access to critical data or processes

Number of third parties with privileged access to critical assets, segmented by their own assessed risk level. Supply-chain attacks are the dominant vector for many incidents. Target: visibility on 100%; concentration risk flagged.

Decision: approve due-diligence reinforcement, contract changes, or alternative provider strategy.

9) Closure of actions from exercises (tabletop, red team)

Percentage of action items derived from cyber exercises that are closed within agreed timelines. Exercises that produce findings nobody closes are theatre. Target: >90% closed within 90 days.

Decision: if closure is poor, evaluate whether exercise governance needs strengthening or whether more frequent adversary simulation is the wrong investment.

10) Active and expired risk exceptions

Count of formally accepted risk exceptions still active, segmented by age and severity. Expired-but-not-renewed exceptions are uncontrolled risk. Target: zero expired, declining trend on active count.

Decision: review specific exceptions or change the exception process if accumulation is structural.

11) Coordinated response maturity (security + legal + comms + business)

Assessment (qualitative or scaled) of how well the cross-functional incident response works during real or simulated incidents. Includes decision-making speed, communication coordination and customer/regulator notification capability. Target: improving each quarter.

Decision: invest in cross-functional drills, retainer arrangements with PR/legal, or governance changes.

12) Quarterly trend of aggregated risk

Single number showing the trajectory of aggregated residual risk across all Tier 1 services and risk categories. The Board's one-glance answer to "are we getting safer". Target: trending down or stable; rising trend triggers strategic review.

Decision: strategic reassessment of cyber investment level, if trend is consistently wrong direction.

How to present the 12 KPIs so the Board can decide

Format that lands:

  • One page. Twelve KPIs, current value, trend arrow, threshold marker, owner. Everything on one slide.
  • Colour-coded against thresholds. Green/amber/red mapped to the risk appetite per KPI, not to gut feeling.
  • Three bullet narrative. What changed since last quarter, why, what action is requested.
  • Appendix with method. How each KPI is calculated, who owns the data, what counts as in-scope.
  • Quarterly cadence. Updates monthly to committee, but Board sees quarterly summary.

If the slide produces questions like "why is KPI 8 amber and what would it take to move it to green?", you've succeeded. If it produces silence, you have a presentation problem.

Common mistakes in Board reporting

  • Too many metrics. 30+ KPIs guarantee the Board reads none of them carefully.
  • Operational disguised as strategic. Patching SLA is operational; "critical exposures beyond SLA" is strategic.
  • No thresholds. Numbers without an approved threshold mean "is this good or bad?" is a personal opinion.
  • Status without decision request. Reporting is not the goal; getting a decision is.
  • Different metrics every quarter. Comparability is what makes trend meaningful.
  • Hiding bad news. Boards eventually notice; the credibility loss is worse than the bad news.

Practical example: reading the dashboard

Scenario: a mid-size insurer, current quarter's dashboard shows:

  • KPI 1 (residual risk): stable, within appetite. Green.
  • KPI 3 (critical exposures beyond SLA): 4 open, target 0. Amber, trending worse.
  • KPI 5 (MTTR containment): 6h, target <4h. Amber.
  • KPI 8 (third-party risk): 2 new high-risk providers added in quarter. Amber.
  • KPI 12 (aggregated trend): slight upward (worsening). Amber.

Narrative: "Two structural issues are driving the amber. Vulnerability remediation capacity has been overwhelmed since the recent KEV publications hit our edge stack. Third-party onboarding outpaced the assessment process. Both are addressable with focused investment in Q+1: remediation capacity reinforcement and TPRM process automation. Decision requested: approve the budget reallocation outlined in appendix A."

That's a Board agenda item. Twelve KPIs, one slide, one decision requested. Anything else is a status update.

12-week implementation plan for the dashboard

Weeks 1-4: foundation

Agree the 12 KPIs with leadership and risk committee. Document the method, owner and threshold for each. Establish data sources. Identify gaps where current data isn't reliable.

Weeks 5-8: instrumentation

Build data pipelines for the KPIs that lack reliable sources. For "residual risk", implement a simple scenario-based model — perfection isn't the goal, comparability is. For coverage and exposure KPIs, integrate with existing inventory and scanning tooling.

Weeks 9-12: validation and first cycle

Produce the first quarter's dashboard. Walk through it with leadership to validate that numbers and trends look right. Refine thresholds if reality differs from expectation. Schedule the first Board presentation.

Recommended frequency and depth

  • Operational committee: monthly review of all 12 KPIs with detailed drill-downs.
  • Risk / audit committee: quarterly review of the same KPIs with action recommendations.
  • Board: quarterly presentation of the one-page dashboard with decision requests.
  • Crisis cadence: during major incident, ad-hoc Board update with KPI snapshot.

Integrating the dashboard with strategy and budget

The dashboard is most valuable when it feeds the annual budget conversation. KPI trends justify the cyber budget request; threshold breaches drive specific investment proposals; quarterly trajectory frames the multi-year programme. Without that linkage the dashboard becomes a recurring slide nobody acts on.

Practically: every Q4 presentation includes the year's KPI trajectory and an explicit ask for the next year's budget, anchored in specific KPI improvements the budget will deliver. The Board can debate the trade-offs in business terms instead of in technical jargon.

Compliance alignment

The 12 KPIs align with regulatory expectations on board-level oversight:

  • NIS2 Article 20: management body responsibility for cybersecurity risk management — these KPIs are exactly the evidence regulators expect.
  • DORA: management body's role in approving ICT risk strategy and reviewing risk indicators — KPIs 1, 4, 5, 6, 8, 12 are directly relevant.
  • ISO 27001: top management responsibilities (Clause 5) and management review (Clause 9.3) require exactly this kind of executive-level visibility.

Building the dashboard for the Board also produces the evidence auditors will request. Same investment, two outcomes.

Conclusion

A Board cyber dashboard that actually drives decisions has 12 (or fewer) well-defined KPIs, each anchored to a business outcome, each with a threshold the Board approved, each with a clear decision pathway when it moves the wrong way. The hard part isn't the data — it's the discipline to keep the metric set small and to insist on action requests rather than status updates.

Organisations that get this right turn the cyber reporting from a quarterly slide nobody understands into a structured conversation about where to invest, what risks to accept and how the programme is maturing. That's the level of engagement regulations like NIS2 and DORA are explicitly asking for.

If you want help building or auditing the dashboard, talk to a Hard2bit specialist and we'll scope a focused first phase.

Disclaimer: KPI definitions, thresholds and reporting cadences must be adapted to your sector, regulatory scope and organisational maturity. Specific examples in this article reflect practical experience as of mid-2026 and are starting points, not prescriptive standards. This article is informational and does not replace a formal governance review or compliance assessment.

Frequently asked questions

Why exactly 12 KPIs and not more or fewer?

Twelve is the upper bound where a one-page dashboard remains readable and trends across the set remain meaningful. Less is often better — well-functioning Boards sometimes work from 6-8 KPIs. More than 15 typically means the dashboard has degraded into a report nobody studies. The number matters less than the principle: every KPI on the dashboard should drive a decision.

Our risk model isn't mature enough to quantify residual risk. Do we skip KPI 1?

Don't skip it — start qualitative. A 1-5 risk scale per critical service, refreshed quarterly by the risk team, is better than nothing and lets you build the trend line. As scenario modelling matures, refine toward monetary estimates. The Board values consistency and trajectory more than precision at the third decimal place.

How do these KPIs map to NIS2 and DORA management body responsibilities?

Directly. NIS2 Article 20 and DORA Article 5 both make the management body explicitly responsible for cyber risk oversight. The 12 KPIs cover what regulators expect to see: risk quantification, control coverage, incident response capability, third-party risk, exception management and trend visibility. Presenting this dashboard at the Board level produces both internal governance and the audit evidence those regulations require.

What if a KPI is consistently red and we can't fix it?

That's exactly when it becomes a Board decision. If a KPI is structurally red because the investment to fix it exceeds the residual risk reduction, formally accept the risk and document the rationale (the exception goes into KPI 10). If it's red because investment is needed, the dashboard is the vehicle to request it. The KPI being red isn't a failure — being red without a decision is.

How long until the dashboard pays off?

First quarter is foundation: agreeing KPIs, building data pipelines, validating numbers. Second quarter is the first useful Board presentation. By the fourth quarter you have a year of trends, the conversation with the Board has shifted from "what is this number" to "what should we do about it", and the cyber budget conversation has new structure. Organisations that have run this for 2+ years report that audit committees and Boards engage more substantively with cyber risk than they did before — which is the actual goal.