Get Secured
← All Posts Security Governance

Crypto Security Metrics and KPIs: What to Measure and How to Report to the Board

Most crypto security programmes measure the wrong things, or measure nothing at all. This guide covers the metrics that matter at the board level, the operational metrics that reveal programme health, and how to present security data to non-technical stakeholders.

A crypto exchange with a nine-figure balance sheet can tell its board the price of every asset it holds to four decimal places, yet cannot answer a much simpler question: how long did it take the security team to detect the last anomalous withdrawal attempt. This is not a rare gap. It is the norm. Finance functions in Web3 have matured rapidly under exchange listing requirements and institutional due diligence. Security functions have not kept pace, and the reason is almost always the same: nobody has defined what to measure, so nobody measures anything consistently, and the board is left approving security budgets on the strength of a slide deck rather than a track record.

This guide sets out the metrics that a crypto or Web3 firm should be tracking at three levels: the board, the operational security team, and the crypto-specific controls that do not exist in a traditional enterprise security programme, such as multisig signer health and cold storage audit cadence. It also covers how to package these into a reporting pack that a non-technical director can actually use to govern the business.

Boards cannot govern what they cannot see, and the uncomfortable truth is that most crypto firm boards have never seen a security metric in their lives. Security investment decisions get made on instinct, on the loudest voice in the room, or on whatever happened to a competitor last month, rather than on evidence drawn from the firm's own risk posture.

Why Security Metrics Matter in Web3 (and Why Most Firms Get Them Wrong)

The instinct in most crypto firms is to treat security as a technical function that reports upward only when something goes wrong. This is backwards. A security programme that only surfaces information during an incident has already failed at governance, because by the time the board hears about a problem, the loss has typically already occurred. Metrics exist to close that gap: they let a board, a founder, or an institutional investor see the trajectory of risk before it converts into a headline.

The most common failure mode is measuring activity instead of outcomes. A security team that reports "we ran 40 penetration tests this quarter" has told the board nothing about whether the firm is safer than it was last quarter. The number of tests run is an input. What matters is the trend in critical findings, the speed of remediation, and whether the same class of vulnerability keeps reappearing. A firm building a genuine security governance framework needs metrics that map to decisions, not metrics that simply demonstrate that people were busy.

The second failure mode is inconsistency. Metrics that are defined differently each quarter, or that change definition when the numbers look unfavourable, are worse than no metrics at all, because they create false confidence. A defensible programme fixes its metric definitions early, documents them, and applies them consistently even when the trend is unwelcome. This is precisely the discipline that institutional investors and regulators expect to see when they review a firm's risk management practices.

Leading vs Lagging Indicators: The Distinction That Shapes Your Programme

Lagging indicators describe what has already happened: the number of security incidents last quarter, the financial loss from a compromise, the number of audit findings closed. They are essential for accountability and for demonstrating a track record, but by definition they cannot be used to prevent the event they describe. If the only metrics on a board pack are lagging, the board is reading history, not managing risk.

Leading indicators describe the conditions that produce good or bad outcomes before those outcomes materialise. Patch SLA compliance, the percentage of privileged accounts reviewed on schedule, the phishing simulation click rate trend, and key rotation frequency are all leading indicators. A firm with deteriorating leading indicators, even with zero incidents to date, is accumulating risk that will eventually surface. Conversely, a firm with strong leading indicators but a recent incident may simply have been unlucky, or may be recovering well from a genuine gap that has since been closed.

The practical implication for a CISO or security director is to build a reporting pack that pairs each lagging indicator with the leading indicators that explain it. If incident frequency is rising, the pack should also show whether patch SLA compliance has slipped, whether access reviews are overdue, or whether a particular control has been consistently under-resourced. This turns a report into a diagnostic tool rather than a scoreboard.

Board-Level Security Metrics: What Non-Technical Stakeholders Need to See

A board does not need, and should not receive, a dashboard of raw technical telemetry. Directors need a small number of metrics that map directly to fiduciary and regulatory responsibilities. The following set has proven workable across institutional crypto firms:

  • Risk-adjusted security investment. Security spend as a proportion of assets under management or transaction volume, benchmarked against peer firms of similar size and risk profile. This answers the question every director eventually asks: are we spending enough, and is it going to the right places.
  • Critical findings open beyond 30 days. A single number that captures unresolved risk. Any critical or high-severity finding still open after 30 days should have a named owner and a remediation date attached, and the board should see both the count and the trend over the last four quarters.
  • Regulatory compliance percentage. The proportion of applicable regulatory and licensing security requirements currently met, broken out by jurisdiction where the firm operates under more than one regime. This is often the single most scrutinised figure by institutional investors and licensing authorities.
  • Insurance coverage vs estimated breach cost. The ratio between current crime and cyber insurance coverage and a defensible internal estimate of the cost of a plausible worst-case breach. A widening gap between these two figures is a board-level risk in its own right.
  • Incident frequency trend. Not just the count of incidents, but the trend over rolling quarters, segmented by severity. A flat or falling trend in low-severity incidents alongside effective detection is a sign of a maturing programme, not an absence of activity.

Each of these should be presented with context: the target, the current value, the trend direction, and one sentence of narrative explaining any material movement. Directors without a security background can absorb this format quickly, and it forces the security function to translate technical work into business language, which is itself a useful discipline.

Operational Security Metrics: MTTD, MTTR and Programme Health Indicators

Below the board level, the operational security team needs a richer set of metrics to run the programme day to day. These are the metrics a CISO reviews weekly or monthly, and a summarised version of the most material ones should feed into the quarterly board pack.

  • Mean time to detect (MTTD). The average time between an anomalous event occurring and the security team becoming aware of it. For on-chain anomalies at an institutional-grade programme, a target of under 15 minutes is realistic with proper monitoring in place.
  • Mean time to respond (MTTR). The average time between detection and the initiation of a containment action. A target of under one hour for confirmed critical events is standard for firms holding significant on-chain value.
  • Mean time to recover (MTTRec). The average time to return affected systems or funds flows to normal operating state after an incident. This metric is frequently omitted, but it is what customers and counterparties actually experience during an incident.
  • Patch SLA compliance rate. The percentage of vulnerabilities patched within the timeframe defined by internal policy for their severity rating. This is one of the strongest leading indicators of overall hygiene.
  • Phishing simulation click rate trend. The percentage of staff clicking simulated phishing links, tracked over successive simulations. A declining trend indicates the security awareness programme is working; a plateau or rise indicates it needs redesign, not just repetition.
  • Access review completion rate. The percentage of scheduled privileged access reviews completed on time, and the number of access removals that resulted. A programme that never removes access during reviews is not reviewing seriously.
  • Privileged account audit findings. The count of privileged accounts found with excessive permissions, stale credentials, or missing multi-factor authentication during periodic audits.

These operational metrics are where most of the genuine risk reduction happens. A board pack that only shows the five headline metrics without any visibility into the operational layer beneath them is presenting a result without showing its working, which makes it harder to trust when the numbers eventually move in the wrong direction.

Crypto-Specific Security Metrics: Key Rotation, Multisig Health and Cold Storage Audits

Traditional enterprise security frameworks do not account for the specific operational risks that come with holding and moving digital assets. A crypto security programme needs a dedicated set of metrics for the controls unique to key management and custody.

  • Key rotation frequency by key type. Signing keys, API keys, and infrastructure keys each carry different risk profiles and should be rotated on schedules appropriate to their exposure, with actual rotation dates tracked against policy commitments, not assumed.
  • Multisig quorum health. The audit status of every signer device in a multisig arrangement, including firmware currency, physical custody verification, and confirmation that no single point of compromise (such as two signers sharing infrastructure) has crept into the setup. This should be reviewed at least quarterly, with immediate re-verification triggered by any personnel or device change.
  • Cold storage access log review cadence. How frequently access logs for cold storage are reviewed against expected activity, with a target of monthly at minimum and immediate review triggered by any physical access event.
  • Bug bounty valid submission rate and payout trend. The proportion of submissions to the firm's bug bounty programme that are validated, the average time to triage and pay, and the trend in severity of accepted findings. A rising rate of valid high-severity findings is not automatically bad news; it often reflects growing researcher engagement, and should be read alongside remediation velocity rather than in isolation.
  • On-chain anomaly alert response time. The time from an automated on-chain monitoring alert firing to a human analyst making a disposition decision, distinct from the broader MTTD figure because on-chain alerting has its own tooling and failure modes.
  • HSM firmware currency. The percentage of hardware security modules running vendor-supported, up-to-date firmware, tracked because HSMs are frequently deployed once and then left unmanaged for years.

These metrics rarely appear in generic security dashboards because most dashboard tooling was built for traditional IT environments. A crypto firm that wants institutional-grade oversight needs to build or commission reporting that treats these as first-class metrics, not an afterthought bolted onto a conventional SIEM output.

Building a Security Board Reporting Pack

The format of the reporting pack matters almost as much as the content. A pack that is too technical will not be read; a pack that is too vague will not be trusted. The following structure has worked well for institutional crypto firms building genuine board-level security governance:

  • Traffic light dashboard. A single page with red, amber, green status against each board-level metric category (compliance, incidents, key management, third-party risk), with one line of narrative per item.
  • Trend charts. Simple line or bar charts showing the last four to eight quarters for each headline metric, so the board sees trajectory rather than a single snapshot.
  • Top three open risks. Named owner, current status, and remediation ETA for the three most material open risks, updated every reporting cycle regardless of whether they have changed.
  • Regulatory reporting status. A summary of any regulatory filings, notifications, or licensing conditions related to security that are due or outstanding.
  • Upcoming audit and review schedule. A forward calendar of planned penetration tests, ISO 27001 certification surveillance audits, and internal control reviews, so the board can see the assurance activity planned for the coming period, not just what has already happened.

This pack should be produced on a fixed quarterly cadence at minimum, with an abbreviated monthly version for firms operating in higher-risk categories or under active regulatory scrutiny. Consistency of cadence is itself a governance signal: a pack that appears sporadically, or only after an incident, tells investors and regulators that security reporting is reactive rather than embedded.

Benchmarking Your Security Metrics Against the Industry

Numbers in isolation are difficult to interpret. A board seeing "12 critical findings open beyond 30 days" has no way to judge whether that is alarming or unremarkable without a reference point. Two established frameworks provide useful benchmarking structures for crypto firms.

The NIST Cybersecurity Framework defines maturity tiers from Partial through to Adaptive, and mapping a firm's own metrics against these tiers gives the board a recognised external reference rather than an internally invented scale. A firm reporting metrics consistent with a Repeatable or Adaptive tier is making a claim that can be independently assessed, which carries more weight with institutional counterparties than a self-graded score.

ISO 27001 control effectiveness ratings offer a complementary benchmark, particularly for firms that have pursued or are pursuing certification. Each Annex A control can be rated for effectiveness during internal audit, and tracking the trend in these ratings over successive audit cycles gives a structured, externally recognisable measure of programme maturity that sits alongside the crypto-specific metrics described above. Firms that combine a recognised governance framework with the crypto-specific metrics in this guide are in a materially stronger position when facing institutional due diligence, licensing review, or insurance underwriting, all of which increasingly ask for evidence rather than assurances.

Frequently Asked Questions

What are the most important crypto security metrics for a board to review?

A board should review a small set of outcome-oriented metrics: the number of critical findings open beyond 30 days, regulatory compliance percentage, incident frequency trend, risk-adjusted security investment against peer benchmarks, and insurance coverage relative to estimated breach cost. These give directors a defensible view of exposure without requiring technical fluency.

What is the difference between leading and lagging security indicators in crypto?

Lagging indicators measure outcomes that have already occurred, such as incidents, losses or audit findings. Leading indicators measure the conditions that produce those outcomes, such as patch SLA compliance, phishing simulation click rates, key rotation frequency and access review completion. A mature programme tracks both, but leans on leading indicators to intervene before losses occur.

How often should multisig signer health and cold storage be audited?

Multisig signer device audits should be performed at least quarterly, with immediate re-verification after any personnel change or device replacement. Cold storage access logs should be reviewed on a monthly cadence at minimum, with any physical access to key material triggering an out-of-cycle review regardless of schedule.

What is a reasonable mean time to detect and respond for a crypto firm?

Institutional-grade programmes typically target mean time to detect (MTTD) for on-chain anomalies of under 15 minutes and mean time to respond (MTTR) of under one hour for confirmed critical events. These targets vary by asset value at risk and should be set relative to the firm's own historical baseline, then tightened over time.

How should a bug bounty programme's metrics be reported to the board?

Report the valid submission rate, average time to triage and pay, the trend in severity of accepted findings over time, and total payout against programme budget. A rising rate of high-severity valid submissions is not necessarily bad news; it often indicates researcher engagement is working as intended and should be read alongside remediation velocity.

Build a Security Programme You Can Measure

Book a Security Review