dashboard
WEEK_4 · DAY_29 · 1 HOUR
Metrics, KPIs & SOC Reporting
What the CISO actually wants to see
Learning Objectives
- ›Define MTTD, MTTR, alert volume, FP rate, dwell time
- ›Build a CISO dashboard in ES
- ›Differentiate operational metrics vs strategic outcomes
- ›Communicate SOC value in business terms
Module 1 — Operational Metrics
MTTD — mean time to detect (incident open - first signal).
MTTR — mean time to respond (incident closed - opened).
Alert volume per analyst (sustainable: 20-30/shift).
FP rate per detection.
Module 2 — Strategic Metrics
% of ATT&CK techniques covered.
Detection coverage by data source.
Mean dwell time across confirmed incidents.
% incidents auto-resolved by SOAR.
Module 3 — Communicating Value
Convert metrics to outcomes: 'Reduced MTTD from 4h to 22m → estimated risk reduction $2.1M/yr.'
Always show trends (90-day) vs snapshots.
Lab 29 — Build a CISO Dashboard
- Open Splunk ES → Security Posture.
- Identify the 4 KPIs the CISO cares about most.
- Sketch a dashboard: 4 KPI tiles (current + 30d trend) + 1 risk heatmap + 1 incidents-by-month.
- Convert each KPI to a business outcome statement.
Key Takeaways
- ✓MTTD/MTTR/Volume/FP are operational
- ✓% Coverage / Auto-resolved / Dwell are strategic
- ✓Trends > snapshots, always