Cybersecurity metrics: what to track as an MSP

| By:
Sajal Sahay

This blog is the sixth and final part of the multi-part series summarizing “The Ultimate Operations Guide for MSP Cybersecurity.” In this sixth installment, we’ll detail the cybersecurity metrics that are most important to track for MSPs and establish a common starting point for building out your cybersecurity offerings. If you’re interested in reading the rest of the series, you can access them below:

Why is tracking performance important?

A security operations center (SOC) monitors and responds to cybersecurity incidents across an organization’s networks and systems. For MSPs, tracking and measuring performance metrics is crucial to ensure the SOC is doing its job effectively. Throughout the rest of this blog, we'll discuss the key performance indicators (KPIs) and critical metrics that indicate how well an MSP's SOC is performing.

Key performance indicators

While there are many different ways to measure performance, certain KPIs are more important than others. Some of the more simple, standard KPIs being tracked by SOCs include:

  • Number of open critical tickets
  • The average age of open critical tickets
  • Number of cybersecurity tickets or incidents—broken down by severity or priority
  • The average age of open cybersecurity tickets—broken down by severity or priority
  • Amount of tickets by source—SIEM, EDR, MDR, user request, etc.
  • Amount of time to resolve a ticket—broken down by severity or priority

KPIs don’t stop there—depending on your business needs and goals, there are many other factors you may want to consider when tracking performance. These include:

  • Mean time to respond (MTTR): This measures the time it takes for the SOC to respond after it detects a cybersecurity incident. A low MTTR is critical to reducing the impact of cybersecurity incidents. MTTR can also be broken down by severity or priority.
  • Number of false positives: False positives are cybersecurity alerts triggered by benign events rather than actual cybersecurity incidents. Excessive false positives can lead to alert fatigue, decreasing the effectiveness of a SOC. This may indicate an opportunity to better tune the solution to the client’s environment.
  • Number of escalations: Escalations occur when an incident is passed from one team or analyst to another for further investigation. A high number of escalations may indicate that the SOC is understaffed or that analysts need more training.
  • Number of incidents resolved: This measures the number of cybersecurity incidents successfully resolved by the SOC. It indicates the effectiveness of the SOC in protecting the organization from cybersecurity threats.
  • Customer satisfaction: Ultimately, the effectiveness of the SOC will be judged by the satisfaction of its customers. Customer satisfaction metrics can help identify improvement areas and ensure the SOC meets the organization’s needs.

While the above KPIs are focused on different ways to track your success, there are also KPIs for tracking associated costs. Examples of this include:

  • The average labor hours per ticket—broken down by severity or priority
  • The average labor hours per ticket—broken down by source

Understanding and analyzing KPIs

When service metrics appear to be on target and “green” on the surface but are “red” when you look any deeper, it can indicate poor service and unhappy clients. This phenomenon is not unique to the IT industry or MSPs—however, it reinforces the importance of truly understanding each KPI and its implications.

Of course, this is easier said than done. Without a deep understanding of the performance metric, your MSP may not be getting the most out of the KPIs you’re tracking. There are several scenarios in which this could happen, specifically if you’re not:

  • Measuring the right things: An MSP may collect a lot of information, but it may not tell a story that’s important to clients.
  • Considering the experience: An MSP may be answering the phone or closing tickets, but clients may be left with questions the MSP can’t answer or that “fall outside the scope of the agreement.” MSPs should consider what their clients experience when they use their services.
  • Collecting enough data: A SOC may be getting a few positive CSAT scores a month, but if those represent 1% of the overall ticket closure, they may not be telling the whole story. MSPs should encourage clients to give regular feedback to continually help improve their services.

Face-to-face client meetings

When it comes to cybersecurity services, client meetings have become increasingly important. The better an MSP is at their job, the lower the chances their clients will have problems with cybersecurity—and one of the best ways to know if your clients are satisfied is to talk with them yourself.

MSPs with long-term customer relationships are able to continually mitigate evolving risks and establish the highest perceived value with their clients. They meet regularly with them and explain the findings and trends, along with recommendations to help them meet their business objectives.

Top-performing MSPs leverage quarterly business reviews (QBRs) as a key relationship-building and management activity that directly and continually engages their C-level customers. QBRs are proven to keep customers engaged and satisfied because they continually connect the successful operation and evolution of the infrastructure to the company’s business goals in the C-level’s eyes, creating an optimal win-win relationship.

Work with an expert to get the most out of your KPIs

It’s important to remember that cybersecurity includes multiple technical and administrative components working together to maintain the core principles of confidentiality, integrity, and availability. It takes someone with cybersecurity experience to take the important information gleaned from the dashboards and turn it into usable insights.

Luckily, there are solutions in place, such as BrightGauge™, a ConnectWise solution, that let administrators view all the available data in one place and then translates the information into meaningful terms that business leaders can understand.

This is also where a relationship with a SOC can be very valuable for MSPs. Most SOCs employ a security information and event management (SIEM) process that aggregates data streams from various cybersecurity-focused systems. The trained cybersecurity specialists in a SOC then collect and review the aggregated data to proactively develop remediation plans for their clients.


This blog is meant to serve as a high-level overview of common cybersecurity performance metrics for MSPs. For a more detailed understanding of these critical metrics, download “The Ultimate Operations Guide for MSP Cybersecurity” eBook in its entirety.