Why 10 Indicators Are Enough
The ANSSI IT hygiene guide and CIS Controls v8 contain dozens of recommendations. But in practice, 80% of an organization's security posture can be measured with a handful of well-chosen KPIs.
These 10 indicators represent the essential baseline — the ones every CISO, CIO, or managed service provider should be able to check at any time, without manual consolidation. They cover three pillars: endpoint protection, identity management, and response capability.
The 10 Indicators
Endpoint Protection
1. Active EDR Coverage — Target: 100% Percentage of devices with an active, functioning endpoint protection (EDR/antivirus). A single uncovered device is enough to create a breach. It's the first indicator any auditor checks.
2. System Patch Rate — Target: 95% Percentage of devices with the latest security patches applied (under 30 days). Known unpatched vulnerabilities remain the #1 attack vector.
3. Backup Success Rate — Target: 100% Percentage of backups completed successfully over the last 7 days. In case of ransomware, this is the difference between 4 hours and 4 weeks of downtime.
4. Unpatched Critical Vulnerabilities — Target: 0 beyond 30 days Number of critical vulnerabilities (CVSS ≥ 9) or KEVs unpatched for more than 30 days. Beyond this threshold, the risk of active exploitation is real.
Identity Management
5. MFA Adoption — Target: 100% Percentage of users protected by multi-factor authentication. Without MFA, a compromised password gives direct access to the IT environment.
6. Excessive Privilege Accounts — Target: 0 Number of accounts with unjustified admin rights or not reviewed in the past 90 days. Every unnecessary admin account is an attack surface.
7. Security Policy Compliance — Target: > 90% Percentage of devices and accounts compliant with defined policies (MDM, GPO, conditional access). Measures day-to-day operational discipline.
Response Capability
8. Phishing Click Rate — To be measured Percentage of employees who clicked on phishing test emails. Shows the real awareness level — measured, not self-reported.
9. Mean Time to Remediation — Target: 7 to 30 days Time between detecting a non-compliance and resolving it. A maturity indicator: it measures the ability to act, not just detect.
10. Mean Time to Detection — Target: < 48 hours Time elapsed between a suspicious activity and its detection. The shorter this delay, the more limited the impact.
From Theory to Practice
The challenge isn't defining these 10 indicators — it's calculating them continuously, from real data. Today, most organizations produce them manually in Excel, once a month. The result is partial, self-reported, and outdated the moment it's published.
OverView connects to your existing tools (AD, EDR, CMDB, MDM, vulnerability scanner) and calculates these 10 KPIs automatically. No heavy technical integration — data is collected directly from your solutions in place.
| Manual approach | With OverView |
|---|---|
| Excel consolidation, 2 days/month | Automatic, continuous calculation |
| Self-reported, partial data | KPIs based on real data |
| 5 to 15 tools checked separately | Unified view in a single dashboard |
| No cross-referencing between sources | Automatic correlations across tools |
"We used to spend two days a month producing an approximate dashboard. Now, the 10 indicators are there, up to date, and we know exactly where to act."
To go further, check out our complete guide on the 20 key compliance indicators which adds cross-tool correlations — where the real risks hide.