Building a Security Dashboard: Which Metrics Belong on the Screen

What a Security Dashboard Must Deliver

A security dashboard is not a decorative element for the flat screen in the hallway and not a toy for tech enthusiasts. It is a decision-making tool. In less than 30 seconds, it must enable a person to answer one of the following questions:

• Is there something right now that needs my immediate attention?
• Are we getting better or worse?
• Where do we need to invest or make adjustments?
• Can we pass the next audit?

If your dashboard does not answer any of these questions, it is useless. If it answers all four, it is one of the most valuable tools in your ISMS.

The Three Dashboard Levels

Not everyone needs the same dashboard. The CEO needs different information than the security analyst. The solution: Three dashboard levels for three audiences.

Level 1: Executive Dashboard (C-Suite)

Audience: CEO, board of directors, C-level executives

Purpose: Overall view of the security status. Identify need for action. Support investment decisions.

Update frequency: Weekly or monthly

Design principle: Maximum one screen page. Traffic light colors. Trends. No technical details. If executive management has to ask what a metric means, it does not belong on this dashboard.

Metrics:

1. Overall Risk Status (Traffic light): An aggregated assessment of the current risk level. Green = all identified risks are at an acceptable level. Yellow = individual risks above the acceptance level, measures are underway. Red = critical risks without adequate treatment.

2. Open Critical Vulnerabilities: Number of unpatched vulnerabilities with CVSS >= 9.0 on production systems. Target value: 0. Any number > 0 requires an explanation.

3. Active Security Incidents: Number and severity of currently ongoing incidents. No active critical incidents = green. Ongoing incidents with high severity = red.

4. Compliance Status: Percentage fulfillment of the relevant compliance requirements (NIS2, ISO 27001, industry-specific requirements). With trend arrow.

5. Patch Compliance: Percentage of systems patched within the defined timeframe. Differentiated by critical/high/medium.

6. Next Milestones: The three most important upcoming dates (next audit, expiring certificate, compliance deadline).

Level 2: Management Dashboard (CISO, IT Management)

Audience: Information security officer, IT management, ISMS team

Purpose: Operational management of the ISMS. Identify bottlenecks. Allocate resources. Prioritize measures.

Update frequency: Daily to weekly

Design principle: Two to three screen pages. More detail than the executive dashboard, but still focused on actionability. Shows not just the status but also the causes.

Metrics:

7. Risk Treatment Progress: Overdue measures by area/responsible person. Traffic light per measure. Gantt-like display for time-critical measures.

8. Vulnerability Pipeline: Number of open vulnerabilities by age (< 7 days, 7-30 days, 30-90 days, > 90 days) and criticality. Aging is the decisive indicator: Vulnerabilities that have been open for 90 days point to structural problems.

9. Incident Trend: Number and type of incidents over the last 12 months as a bar chart. With overlay of average response time (MTTR). Shows seasonal patterns and long-term trends.

10. Asset Coverage: Proportion of IT and OT assets captured in the ISMS and provided with a current risk assessment. Reveals blind spots.

11. Training Status: Training rate by department and due date. Which departments are overdue? When is the next phishing simulation scheduled?

12. Audit Finding Tracker: Open findings by source (internal audit, external audit, self-assessment), severity, and due date.

13. Supplier Risk Status: Overview of the security assessment of the most important service providers and suppliers. Particularly relevant for NIS2-obligated companies.

Level 3: Operational Dashboard (Security Team)

Audience: Security analysts, system administrators, SOC team (if present)

Purpose: Real-time overview of the technical security posture. Detect anomalies. Prioritize incidents.

Update frequency: Real-time or near real-time

Design principle: Data-intensive. Technical details. Filterable and drilldown-capable.

Metrics:

14. Active Alerts: Open security alerts from SIEM, EDR, firewall, and OT monitoring, grouped by severity and status (new, in progress, escalated).

15. Network Anomalies: Unusual communication patterns, new devices on the network, suspicious DNS queries, connections to known C2 servers.

16. Authentication Anomalies: Failed login attempts, logins from unusual locations, simultaneous logins from the same user.

17. Endpoint Status: Proportion of endpoints with current virus protection, active EDR agent, current operating system.

18. Firewall Status: Top blocked traffic, new rule violations, connections to blocked destinations.

Selecting Metrics: The Principles

Less Is More

The biggest temptation in dashboard design is to include too many metrics. A dashboard with 40 tiles is not a dashboard — it is a visual maze. For the executive dashboard: maximum 6 metrics. For the management dashboard: maximum 15. For the operational dashboard: as many as necessary, but with clear grouping and filtering.

Only Automatically Collectible Metrics

Any metric that must be collected manually will sooner or later become outdated. Manual collection works for a quarterly report. For a dashboard that needs to be current daily or weekly, it is not sustainable. Limit yourself to metrics for which you have automated data sources.

Show Context

A number without context is worthless. "Patch Compliance: 87%" says little. "Patch Compliance: 87% (Target: 95%, Previous month: 82%, Trend: rising)" tells a story. Every metric needs at minimum: the current value, the target value, the previous period value, and a visual trend indicator.

Actionability

Every metric on the dashboard must enable an answer to the question "So what do I do now?" If a metric is red, it must be clear what action follows. If no action follows for any color, the metric does not need to be on the dashboard.

Data Sources and Integration

A dashboard is only as good as its data sources. For a mid-market company, the following sources are typically relevant:

IT Systems

OT Systems

ISMS Data

Integration

The ideal solution: All data sources feed into a central platform that generates the dashboards. In practice, this is often the SIEM (for operational data) and the ISMS tool (for governance data).

If full integration is not possible, separate dashboards are also acceptable, as long as they have clearly defined responsibilities. What matters is that data is regularly and automatically updated.

Dashboard Design: Practical Tips

Color Scheme

Use a consistent color scheme with clear meaning:

• Green: Target value achieved, no action needed
• Yellow/Orange: Target value narrowly missed, observation needed
• Red: Target value significantly missed, action needed
• Gray: No data available (also an alarm signal)

Avoid more than these four colors. Each additional color dilutes the message.

Layout

Executive Dashboard: Large tiles, generous whitespace, no scrollbars. The most important information (is there a critical problem?) must be immediately recognizable, even from three meters away.

Management Dashboard: Modular grid layout. Each area (risk, compliance, incidents, vulnerabilities) has its own section. Tabs or navigation for different areas are acceptable.

Operational Dashboard: Dense display with filters. Sortable tables, timelines, drill-down capability from overview to detail.

Update Frequency

Define the update frequency for each metric and make it visible on the dashboard. A "Last updated: March 14, 2026, 08:00 AM" gives the viewer confidence in the currency. A dashboard without a timestamp looks like yesterday's photo.

Alerts

The dashboard should have active alerting capabilities. When a critical metric exceeds the threshold, not only does the tile turn red, but an active notification is sent (email, Slack/Teams, SMS). The dashboard then serves as the detail view for the alert.

Common Dashboard Design Mistakes

The Data Dump Mistake

You display all available data because you have it. The result: A dashboard with 50 tiles that nobody uses. Solution: Start with the questions that need answering and select only the metrics that answer those questions.

The Vanity Mistake

You display only metrics that look good. The backup success rate is 99.8%, the training rate is 97%, everything is green. But patch compliance for critical vulnerabilities is not on the dashboard because it is at 62%. A dashboard that only shows good news is not a management instrument — it is self-deception.

The Context Mistake

You display a number without a comparison value. "47 security incidents this month" sounds like a lot. But if the previous month had 120 and the average is 80, then 47 is a success. Without context, the number leads to false conclusions.

The Currency Mistake

Dashboard data that is a week old is worthless for operational decisions. And a "real-time" label on data that is only updated once daily is misleading. Be honest about the currency and match the update frequency to the usage purpose.

The Silo Mistake

You have separate dashboards for network security, endpoint security, cloud security, and ISMS compliance, but none that shows the overall state. Executive management does not want to read four dashboards — they want one answer to the question: Are we secure?

Building in Three Phases

Phase 1: Executive Dashboard (2-4 weeks)

Start with the executive dashboard. It has the greatest leverage (visibility with executive management) and the lowest data requirements (5-6 metrics). Many of the data points can initially be collected manually and then gradually automated.

Phase 2: Management Dashboard (4-8 weeks)

Expand to the management dashboard. Here you need connections to more data sources (patch management, ticketing system, ISMS tool). Invest in automating data collection before you build the dashboard. A manually populated management dashboard will no longer be updated after two months.

Phase 3: Operational Dashboard (ongoing)

The operational dashboard grows organically with your technical capabilities. Start with the data that your SIEM or security tools already provide. Gradually expand to include OT monitoring, cloud security data, and identity data.

Tools and Platforms

The choice of dashboard platform depends on your existing systems and budget. Here is an overview of common approaches:

Option 1: Integrated SIEM Dashboard

If you already operate a SIEM (Microsoft Sentinel, Elastic SIEM, Splunk), it offers integrated dashboard capabilities. The advantage: Security-relevant data is already available. The disadvantage: ISMS governance data (risk status, measures progress, audit findings) is typically missing.

Suitable for: The operational dashboard (Level 3) and parts of the management dashboard (Level 2).

Option 2: Business Intelligence Tool

Tools like Power BI, Grafana, or Tableau can aggregate and visualize data from various sources. You build the dashboards yourself and have full control over design and data integration.

Suitable for: All three levels, but requires effort for data integration and dashboard creation. Grafana is particularly popular for technical security dashboards, Power BI for executive dashboards.

Option 3: ISMS Tool with Dashboard

Specialized ISMS tools deliver dashboards that are directly based on the data managed in the tool: risk status, measures progress, compliance status, asset inventory. Integration with technical security data (SIEM, EDR, vulnerability scanner) varies by tool.

Suitable for: The executive dashboard (Level 1) and the management dashboard (Level 2), supplemented by operational data from the SIEM. ISMS Lite provides an integrated dashboard with real-time metrics from risks, measures, and incidents, covering both executive and management views.

Option 4: Custom Development

For companies with developer resources: A simple dashboard based on web technologies (React, Vue, Chart.js) that pulls data via API from various sources. Maximum flexibility, but also maximum development and maintenance effort.

Suitable for: Companies with specific requirements that no standard solution covers. For most mid-market companies, the effort is not justified.

Rollout and Adoption

The best dashboard is useless if nobody looks at it. Introducing a security dashboard is not just a technical project but also a change management topic.

Make the Dashboard Visible

Mount a screen with the executive dashboard in a prominent location: in the IT department hallway, in the executive conference room, or in the server room entrance. The physical presence makes the dashboard a natural conversation starter. If the CEO sees a red tile on the way to a meeting, they will ask about it. And that is exactly what you want.

Establish Rituals

Integrate the dashboard into existing meeting formats. The IT team's weekly starts with a look at the operational dashboard. The monthly management meeting includes a fixed agenda item "Security Status" based on the executive dashboard. The quarterly ISMS review uses the management dashboard as its foundation.

Collect Feedback

Regularly ask users: Which metric is most useful? Which one don't you understand? Which one is missing? What would you change? A dashboard that responds to feedback gets used. A dashboard that is mandated from above and never adapted gets ignored.

Celebrate Successes

When a metric improves (patch compliance rises from 78% to 94%, phishing click rate drops from 18% to 4%), communicate it actively. Making improvements visible motivates the team and shows executive management that the investment in security is working.

Metrics in the Dashboard and the Management Review

The dashboard and the management review are two sides of the same coin. The dashboard shows the current status. The management review analyzes trends and derives measures.

The metrics from the dashboard flow directly into the management review. The advantage: If you have a well-maintained dashboard, preparing the management review is significantly easier. Instead of gathering data from various sources, you export the dashboard data and supplement it with qualitative analyses and recommendations. Which ISMS metrics belong in the management review is described in a separate article in detail.

Conversely, the results of the management review flow back into the dashboard: adjusted target values, new metrics, changed thresholds for alerts.

The Dashboard as a Communication Instrument

In closing, a change of perspective: The security dashboard is not just a management instrument but also a communication instrument. It tells a story about the state of information security in your organization.

To executive management, it communicates: "We have the situation under control" (or not). To auditors, it communicates: "We systematically measure the effectiveness of our ISMS." To your own team, it communicates: "Our work makes a measurable difference."

This communicative function is at least as important as the operational one. An information security officer who presents a polished dashboard in a management review has a significantly stronger position in budget negotiations than one who delivers only gut feelings and anecdotes.

Invest in the quality of your dashboard. It is your showcase.

OT Metrics in the Dashboard

If your organization operates OT systems alongside IT, the dashboard should reflect this. OT-specific metrics that belong on the management dashboard:

OT Asset Coverage: Proportion of OT assets captured in the asset register and provided with a current risk assessment. Shows whether the OT world is visible in the ISMS.

OT Patch Status: Number of unpatched OT systems with known vulnerabilities, differentiated by criticality. Different standards apply here than in IT (longer patch cycles are normal), but visibility is key.

Remote Maintenance Access Status: Number of active remote maintenance connections and their last audit date. An access point that has not been reviewed for two years is a risk.

OT Network Anomalies: If you operate passive OT monitoring, display the number of detected anomalies per week or month. The trend is more important than the absolute value.

These metrics do not belong on the executive dashboard (the overall risk status is sufficient there), but on the management dashboard they are essential if OT is relevant to your organization.

Further Reading

• ISMS Metrics: The 15 KPIs Your Management Review Needs
• Measuring Your ISMS Maturity: From Beginner to Optimized
• Building an ISMS: The Complete Guide for Companies with 50 to 500 Employees
• Mastering the Management Review: Preparation, Execution, and Follow-Up