TL;DR: Use a tight KPI set - coverage, SLA adherence, MTTD/MTTR/MTTC, false positives and evidenced investigations - then fund 24x7 operations, smart log strategy and inclusive pricing to improve those numbers quarter by quarter.
In our recent webinar, Luke Elston discussed “Security KPIs & Spend: What Matters To The Board”, part 2 of our Boardroom Briefing Series: Managed Security, focusing on how to track performance, control spend and show ROI.
Boards are asking sharper questions about cyber risk and value for money. They want clear proof that security spend translates into protection, pace and progress, not more tools, more noise or surprise invoices. This piece cuts through the jargon and focuses on the few metrics that actually show control of risk and control of cost.
In plain English, we outline the KPI set senior leaders can use to steer outcomes, plus the spend levers that move those numbers fastest. You will see how to make 24x7 coverage non-negotiable, right-size your log strategy, avoid hidden fees and compare managed detection and response providers on evidence, not promises, with Microsoft Security at the core and CyberOne as your execution partner.
“Boards don’t want more alerts. They want proof of protection and progress - clear KPIs that show risk is going down and costs are under control.”
Luke Elston, Microsoft Practice Director, CyberOne
What Boards Actually Care About
Boards want three things in order: proof that the service protects the business, confidence that the money is well spent and assurance that the service keeps improving without hidden extras. Keep your reporting and investment aligned to those outcomes.
The KPI Set that Proves Value
- Estate coverage percentage: anything below 100% leaves blind spots and undermines the service as a whole. Track it by domain: identities, endpoints, SaaS, cloud, and network.
- SLA performance: response-time obligations should be in the contract with consequences if missed. Review monthly, dig into any outliers.
- MTTD, MTTR, MTTC: measure time to detect, respond and contain. For P1 incidents, aim for containment in under 30 minutes.
- False positive rate: noise kills teams. Good services sit under 5%, best-in-class 1-2%. Track the trend, not just the snapshot.
- Evidenced investigations: insist on end-to-end incident lifecycle visibility and on-demand reporting for audits.
|
KPI |
What it means (plain English) |
Indicative target |
Reporting cadence |
Evidence to show the board |
|
Estate coverage |
% of identities, endpoints, email, SaaS and cloud resources monitored 24x7 |
100% across all domains |
Monthly with quarterly review |
Coverage dashboard by domain, exceptions and closure plan |
|
SLA performance |
Meeting contracted acknowledgement and action times for P1-P3 |
Meet or exceed SLA each month |
Monthly |
SLA report, outliers, root cause and fixes |
|
MTTD |
Time from malicious activity to first detection |
Minutes for P1s |
Monthly plus real time |
Time-stamped detection-to-acknowledgement metrics |
|
MTTR |
Time from confirmation to first response action |
Low and trending down |
Monthly |
Playbook action times and automation rate |
|
MTTC |
Time to contain an incident so it cannot spread |
P1 containment within ~30 minutes |
Monthly |
Containment timeline with affected users/devices |
|
False positive rate |
% of alerts triaged as non-issues |
Under 5%, ideally 1-2% |
Monthly |
Alert quality trend and use cases tuned |
|
Evidenced investigations |
Complete incident record for audit and lessons learned |
100% of P1-2s fully documented |
Monthly |
Investigation timeline, analyst notes, outcomes |
Spend Where It Moves the Needle
1) Make 24x7 the baseline
Working-hours cover is close to pointless. Attacks land at weekends, holidays and 2am. Buy true 24x7x365 and verify the provider’s response speed for P1s.
2) Get smart about logs and retention
Know your daily GB ingest, separate hot vs cold storage and choose retention to fit your risk and audit needs - longer costs more. Use transformations and summarisation to cut waste and keep optimising.
3) Choose transparent, inclusive pricing
Per-user per-month pricing is common for most IT-heavy firms. A single device can fit OT-heavy estates. Avoid EPS or GB-per-day models unless you are truly at massive scale. Push for all-inclusive services so custom rules, dashboards and reports are not chargeable extras.
“Make 24x7 cover non-negotiable, right-size your logs, and insist on evidence you can hand to auditors. That’s how you cut noise and show ROI.”
Luke Elston, Microsoft Practice Director, CyberOne
Pricing Models at a Glance
|
Pricing model |
Best fit |
Strengths |
Watch outs |
Tips from the Webinar |
|
Per user per month |
IT-heavy organisations with clear headcount |
Predictable cost, easy to budget |
Can overlook device-heavy pockets |
Map licences to security scope so every user is covered |
|
Per device per month |
OT/IoT-heavy estates, shared endpoints |
Aligns cost to protected assets |
Can penalise device sprawl |
Use asset inventory to right-size device counts quarterly |
|
EPS/GB ingest based |
Very large scale with stable telemetry |
Can reward optimisation at scale |
Cost volatility, complex to forecast |
Use transformations and summarisation, set ingest guards |
|
Inclusive MXDR bundles |
Most mid-market firms |
Fewer surprises - rules, reports and hunts included |
Beware scope creep if “inclusive” is vague |
Fix scope in contract, publish a living backlog and roadmap |
How to Compare MXDR Providers
Weigh your evaluation of technical efficacy first, then operational excellence, and finally trust and governance. Look for high detection quality, rapid response, complete coverage, easy integration with your stack, transparent reporting, and strong data handling.
Red flags: working hours only, resistance to sharing KPIs, no evidence trails, hidden fees for basic tasks and any model that extracts your telemetry out of your control without clear safeguards.
What Great Looks Like in Practice
- Ransomware drill: provider quarantines all suspect devices and contains within 30 minutes for a P1, with a complete timeline of actions for audit.
- Noise reduction: false-positive rate below 5% with continuous tuning, freeing analysts for real investigations and improving response speed.
Transparency, Trust and Evidence
Expect real-time dashboards or at least monthly service reviews showing MTTD, MTTR, MTTC, acknowledgement times and false positive ratios, with the provider taking accountability for misses. Also confirm certifications, data masking options and that telemetry remains under your control.
Due Diligence Checklist
Meet the analysts, visit the SOC, if possible, test crisis processes, request customer references, check financial stability, and make sure the exit plan and data handback are crystal clear. Culture and communication matter.
What This Means for Your Business
Run your quarterly review of these KPIs. Fund the items that improve them fastest: full coverage, 24x7 response, tuned analytics and the right data strategy. Keep the pricing predictable and insist on evidence you can hand to the board and auditors.
Want the Full Walkthrough?
You can watch Parts 1 and 2 on demand and register for Part 3. The Boardroom Briefing Series gives business leaders a practical view of modern security performance, highlighting what works, what doesn’t and the metrics that truly matter for resilience, cost control and confident board-level decisions.