1.0 - Introduction
Business owners, senior leaders, and decision-makers are busy. They’re juggling priorities left, right, and centre. Their time? Scarce. Their attention span? Even scarcer. And more often than not, they assume you’ve got their cybersecurity sorted.
That’s where MSPs come in. It’s your job to cut through the noise and help clients understand their cybersecurity - fast. You need to speak their language and present insights at a level that supports quick, confident, data-driven decisions.
In practical terms, this means being:
measurable
sufficiently detailed to enable decisions
high-level enough to ensure understanding
aligned with industry best practices
tailored to the their own organizations risks and opportunities
The good news? This isn’t uncharted territory. In fact, KPIs have been the go-to strategy for decades across industries to drive focus and clarity. They work – and they work well.
That’s why HighGround gives MSPs three clear, consistent KPIs to communicate cybersecurity performance to clients:
CyberScore
A single score (0–100) that reflects an organisation’s overall cybersecurity posture. It’s simple, easy to understand, and perfect for those "so… how secure are we?" conversations.
CyberResilience
Also scored from 0–100, this KPI shows how well an organisation can govern, respond, recover, and continuously improve its cybersecurity approach. It’s all about readiness and adaptability.
NIST CSF 2.0 Alignment
This one’s a bit different. It’s a multi-dimensional visual that maps an organisation’s security controls against the NIST Cybersecurity Framework 2.0 – creating a unique ‘security shape’ that’s as informative as it is eye-catching.
By turning complex cybersecurity data into clear, visual KPIs, HighGround helps MSPs like you have better conversations with clients. No more blank stares, no more guesswork — just informed discussions, strategic planning, and investment in the right areas of security.
In the rest of this article, we’ll take a closer look at each of these three KPIs and how to use them effectively in your client conversations.
Tip: You can now use AI to help you provide answers for any technologies you do not have. To learn more about AI read our Using AI in HighGround article.
2.0 - CyberScore: Your Overall Security Posture
2.1 - What is the CyberScore KPI?
Think of CyberScore as the credit score of cybersecurity.
It’s a simple, high-level indicator — scored from 0 to 100 — that shows how well an organisation is protected against cyber threats. Just like a credit score gives you a sense of financial health, CyberScore tells you how robust your client’s cybersecurity posture is at a glance.
It’s clear, quantifiable, and perfect for sparking meaningful conversations with clients about risk, progress, and investment priorities.
2.2 - How is the CyberScore KPI Calculated?
CyberScore is based on the technologies and practices an organisation has in place to protect, detect, respond to, and recover from cyber threats. Each item has its own weighting, reflecting its importance in real-world defence scenarios.
Here’s the breakdown:
Technologies – Tools like Endpoint Protection, MDR, EDR, etc.
Practices – Actions like enabling SPF/DKIM, running regular penetration tests, or reviewing admin access controls.
Most of these are aligned with the NIST Cybersecurity Framework 2.0, which means they follow internationally recognised best practices. A few additional items have been included in the scoring algorithm too — ones that, while not in the NIST CSF, are widely accepted as best practice across the industry.
Once you've completed the attestations, the CyberScore calculates dynamically, giving you an instant, data-driven snapshot of your client's cybersecurity posture.
2.3 - How to Attest the CyberScore KPI
To update or "attest" a client's CyberScore, just click into the CyberScore KPI anywhere in the HighGround platform. You’ll be walked through a series of questions across 16 sections and 11 subsections, covering all the key areas of modern cybersecurity.
There are two types of questions you’ll come across:
1. Technology attestations – These are about tools. You’ll confirm whether the client is using a specific product from your MSP’s stack or their own.
Example: SentinelOne as the tool used for Endpoint Protection.
2. Practice attestations – These are about behaviors or configurations. You’ll assess whether certain practices are in place.
Example: Has SPF, DKIM, and DMARC been configured? Is annual penetration testing conducted?
2.4 -Attestation Methods
There are three ways to attest a client's CyberScore, and you can mix and match them to get the most accurate picture::
Method 1 - Manually
Click on each row in the CyberScore attestation modal and select a tool from your MSPs security stack, one of the tools from the general tools list provided by HighGround, or manually creating a tool. For practices, simply add the practices that are implemented.
Method 2 - Applying a security package
The CyberScore can also be driven by applying one of your MSPs security packages to a client. If a security package has been applied to a client, attestation will be locked as it is inherited directly from the security package.
Method 3 - Security Tool Suggestions
If you are unsure of what security tools a client has and you have integrated your PSA or finance tool to HighGround, click the blue 'Review' button for security tool suggestions.
This flexibility makes it fast and accurate — no matter your setup or client relationship.
3.0 - Cyber Resilience
3.1 - What is the Cyber Resilience KPI?
Where CyberScore gives you a snapshot of how secure an organisation is right now, the CyberResilience KPI answers a different — but equally critical — question:
How well could this organisation respond, recover, and adapt if a cyber-attack actually happened?
CyberResilience reflects an organisation’s ability to govern risk, handle incidents, bounce back from disruption, and continuously improve its security posture. It’s not just about having defences in place — it’s about having the muscle memory to react and recover with minimal impact on the business.
Think of it like an immune system. A strong immune system doesn’t just stop threats — it learns, adapts, and gets stronger. That’s what CyberResilience is all about.
3.2 - How is the Cyber Resilience KPI Calculated?
This KPI is driven by how well an organisation manages its cyber risk over time — not just what’s implemented, but how often it’s reviewed, tested, and updated.
To achieve a strong CyberResilience score, an organisation needs to:
Anticipate and prepare for cyber threats to minimize disruption
Identify and protect critical data and assets
Understand and meet legal and contractual security obligations
Implement, test, and review risk management processes regularly
Align technology strategy with business risks and opportunities
Develop and test robust incident response and disaster recovery plans
Govern cybersecurity at the board level
Limit legal and financial exposure, e.g. through cyber insurance
Each practice has a unique weighting in the scoring algorithm based on its impact on overall cyber resilience.
Almost all practices align with the NIST Cybersecurity Framework 2.0, and the few extras not in the framework are still recognised as industry best practices — so you can be confident this KPI reflects real-world resilience.
3.3 - How to Attest CyberResilience
There are two main ways to attest a client’s CyberResilience:
clicking on the Cyber Resilience KPI anywhere in the UI, and attesting to each of the 11 sections
actively managing these activities in the Governance & Resilience module, for example uploading policies, procedures and performing reviews
When attesting a clients Cyber Resilience KPI, you attest to security practice.
There are 2 different methods for attesting a clients Cyber Resilience KPI, which you can mix and match together to quickly and accurately map your clients Cyber Resilience:
Method 1 - Manually
Click the CyberResilience KPI in the UI and attest to each of the 11 sections. Each section includes a set of security practices that should be implemented and regularly reviewed.
Note: for the Backup & Disaster Recovery, there are a handful of questions about backup tools.
Method 2 - Manage through the Governance & Resilience module
HighGround’s Governance & Resilience module allows MSPs and clients to co-manage cyber resilience activities. Here, you can:
Upload IR and DR plans & policies
Log and review incident response & DR tests
Perform risk assessments and board reviews
Map compliance with security and data privacy frameworks
Upload and manage cyber insurance documentation
Any activities performed here automatically update the CyberResilience KPI. Real-world data always overrides manual attestations, ensuring the score reflects what’s actually happening — not just what’s been checked off.
Note: The Cyber Resilience KPI is not dynamically updated by applying a security package to a client. In order to achieve the security benefits of the security, you must perform these actions in the Governance & Resilience module and/or attest them in the Cyber Resilience KPI. Due to the requirement for regular reviews, this is an ongoing task and thus the scoring mechanism in HighGround reflects this.
4.0 - NIST CSF 2.0 Alignment (aka Cyber Radar Chart)
4.1 - What is NIST CSF 2.0 Alignment?
The NIST Cybersecurity Framework (CSF) 2.0 is one of the most widely adopted models for understanding and managing cybersecurity risk. It’s built around six key functions: Govern, Identify, Protect, Detect, Respond, and Recover.
At HighGround, we turn this framework into something visual and client-friendly: the Cyber Radar Chart.
This KPI maps an organisation’s cybersecurity maturity across five of the six NIST functions (excluding Govern, which is already covered by the CyberResilience KPI). The result? A unique, visual ‘security shape’ that gives instant insight into where an organisation is strong — and where there’s room to improve.
Imagine a fitness tracker. Just like a Fitbit tracks your heart rate, sleep, and steps, the Cyber Radar Chart shows how well an organisation is doing in each area of cybersecurity. The further out a point reaches on the radar, the more mature that capability is.
When you're discussing cybersecurity maturity with clients, referring to their security shape is a powerful way to show progress, gaps, and trends — all at a glance.
4.2 - How is the NIST CSF 2.0 Alignment Calculated?
The radar chart draws on attestation data from the CyberScore and CyberResilience KPIs. It evaluates an organisation's maturity across these five core functions:
Identify – Are assets, risks, and vulnerabilities understood and documented?
Protect – Are controls in place to prevent threats from causing damage?
Detect – Are systems being actively monitored for suspicious activity?
Respond – Is there a clear, actionable plan in place for dealing with incidents?
Recover – Can services be restored quickly and effectively after an incident?
Each function is scored behind the scenes using the answers you’ve already provided in the CyberScore and CyberResilience sections. The result is a clean, dynamic radar chart that updates in real time.
4.3 - How to Attest NIST CSF 2.0 Alignment
Here’s the best part — you don’t need to do anything extra.
The NIST CSF 2.0 radar chart is automatically generated based on:
Your attestations to CyberScore and CyberResilience
Any security packages applied to the client
This means you get a powerful, standards-based visual output — with zero extra data entry. It’s built right into the process of assessing your client’s cybersecurity posture.
By translating a complex industry framework into a clear visual, the Cyber Radar Chart helps MSPs bring cybersecurity conversations to life — and helps clients see the bigger picture without getting lost in the detail.
5.0 - Conclusion
HighGround’s Cyber KPIs — CyberScore, CyberResilience, and NIST CSF 2.0 Alignment — give MSPs and their clients a clear, consistent, and data-driven way to assess and improve cybersecurity.
By regularly attesting to these KPIs, you empower your clients to:
Spot gaps in their security posture before attackers do
Build resilience to respond and recover from incidents effectively
Stay aligned with industry best practices like NIST CSF 2.0
And because everything is tracked and visualised within HighGround, your clients get an up-to-date, audit-ready view of their cybersecurity health — one that supports real conversations, smarter decisions, and meaningful security improvements.
It’s not just reporting. It’s a roadmap to better cybersecurity.