What should a vCISO phishing dashboard include?

A vCISO phishing dashboard should include four core KPIs (click-through rate, training completion rate, time-to-remediation, repeat-clicker rate) at both the per-client and roll-up level, cohort breakdowns by department and difficulty, four-quarter trend lines, channel splits for email/SMS/voice and a one-click PDF export per client formatted for audit and insurance use. Anything beyond that is operational detail that doesn't belong on the executive view.

How do you scale phishing reporting across multiple clients?

Scaling phishing reporting across vCISO clients depends on three structural choices: a shared KPI taxonomy across all clients (the four KPIs above, defined identically), a shared reporting cadence (typically quarterly) and a platform architecture that supports per-client tenancy with a roll-up view rather than separate accounts. Without those three, every client report becomes a manual rebuild.

Should every client have the same KPIs?

Yes for the core four KPIs. Custom additions are appropriate when a specific client has a regulatory or insurance obligation that adds a metric (e.g., HIPAA-specific training cohorts, PCI cardholder-data environment scope), but the core dashboard should be identical so cross-client benchmarking and roll-up reporting remain consistent. Inconsistent KPIs across clients are the leading cause of vCISO reporting bottlenecks.

How often should a vCISO update the phishing dashboard?

The underlying data should refresh per campaign (which is per-week-to-per-month depending on cadence). The client-facing dashboard view should update at the same cadence. The packaged executive report should be produced quarterly, with an annual deep-dive in Q4 or Q1 that includes year-over-year trends and roadmap. More frequent executive reports add noise without adding signal.

What's the difference between an operational dashboard and an executive dashboard?

The operational dashboard is for the security team running campaigns: per-user repeat-clicker lists, template-level performance, time-from-send-to-click distributions, manual-intervention queues. The executive dashboard is for the CEO, board, audit committee or broker: four KPIs, four-quarter trend, cohort heatmap, narrative paragraph. Mixing them produces dashboards that no audience reads.

How does Bait & Phish support multi-client vCISO use?

Bait & Phish supports per-client tenancy with consistent KPI definitions, native quarterly export to PDF and template libraries shared across clients so a vCISO can deploy a known-good campaign mix without rebuilding it per engagement. Pricing scales with seat count rather than per-client overhead, which makes it economically reasonable for vCISOs running phishing programs across a portfolio of small and mid-market clients.

Building Your Phishing Simulation Dashboard: vCISO's Guide

By The Bait & Phish Team
vCISO, Reporting, Dashboard

Every fractional CISO and vCISO eventually hits the same problem. The first three clients are manageable. By the seventh, the quarterly reporting cycle has become a multi-day spreadsheet exercise. By the twelfth, the report quality has visibly drifted between clients and the practice has stopped scaling. The fix is not more billable hours on report production - it's a dashboard architecture that holds up across a portfolio.

This is the architectural shape that has held up for vCISO practices ranging from a single fractional leader serving a half-dozen mid-market clients to organized vCISO firms running phishing programs across thirty or more accounts. It draws on ISACA's governance framing for security program metrics and on the broker-side reporting conventions that Marsh and Aon use when summarizing client portfolios. The goal is consistency, audit-readiness and a one-click client-facing export that doesn't require rebuilding from scratch every quarter.

The architectural principle: shared definitions, per-client tenancy

Most vCISO reporting bottlenecks come from inconsistent definitions across clients. Client A reports "click rate" as raw clicks divided by sends; Client B reports it as unique clickers divided by recipients; Client C reports it as clickers within 7 days. All three are defensible; together they cannot be benchmarked against each other or against external sources, and the vCISO ends up doing per-client narrative translation every quarter.

Step one is to pick a definition for each KPI and apply it across every client identically. Step two is to use a platform with per-client tenancy that enforces the same definitions natively. The combination kills the translation step.

The four KPIs that belong on every client's dashboard

For every client engagement, the executive dashboard view should include the same four KPIs as core executive reporting:

Click-through rate by campaign, with four-quarter trend.
Training completion rate within 7 days of click.
Time-to-remediation (median hours from click to training completion).
Repeat-clicker rate.

The same four metrics, defined the same way, for every client. Cohort breakdowns and per-channel splits sit underneath these four. Anything else is operational detail that belongs in the operational view.

Cohort design that scales

Cohorts vary across clients (a healthcare system has different relevant cohorts than a manufacturing firm), but the cohort architecture should be consistent. The pattern that scales:

Department cohort. Always present. Typically 5-8 buckets per client. Finance, IT, Sales, Operations, Executive, plus client-specific.
Tenure cohort. First-90-days, 90-day-to-1-year, 1+ year. New-hire risk is consistent across industries and worth always tracking.
Difficulty cohort. Easy, regular, hard - matches the template difficulty taxonomy and prevents a single aggregate click rate from hiding important variance.
Channel cohort. Email, SMS, voice. Every client gets all three even if not all three are active yet, with "not yet running" as an explicit status rather than a missing column.
Risk-role cohort. Privileged users, finance signatories, executives. Always reported even when the population is small, because these are the cohorts that drive insured loss.

Same cohort architecture across every client. Per-client cohort definitions adapt to the org chart, but the structure stays put.

The roll-up view that makes vCISOs look smart

The capability that distinguishes a mature vCISO practice from a transactional one is the cross-client roll-up view. A roll-up dashboard that summarizes program health across the portfolio enables three things that single-client dashboards can't:

Cross-client benchmarking. "Your click rate is in the 60th percentile of our portfolio" is a more compelling client conversation than "your click rate is 12%."
Practice-wide trend visibility. If five of your eight clients regressed in Q3, that's a pattern worth noticing - perhaps a particular template family ran across all of them.
Resource allocation across clients. The roll-up tells you where the next hour of vCISO attention is best spent.

Building a roll-up view requires that per-client data live in a structure where it can be aggregated. That's the second-order benefit of consistent KPI definitions; without them, the roll-up is impossible.

The reporting packet that goes to clients

The quarterly packet for each client engagement should be templated and identical in structure across the portfolio:

Page 1: Executive summary with the four KPIs, four-quarter trend, one narrative paragraph. Branded for the client.
Page 2: Cohort heatmap by department and difficulty.
Page 3: Top three findings and remediation actions taken or planned.
Page 4: Forward-looking program roadmap for next quarter.
Appendix: Per-campaign detail; cyber-insurance-aligned summary; SOC 2 / HIPAA / PCI mapping where relevant.

Same template, same sections, same export workflow, every client, every quarter. The narrative paragraph is the only thing that changes per-client per-quarter; everything else is filled in from the data automatically.

Common vCISO dashboard mistakes

Mixing operational and executive views in the same dashboard. The operational view (per-user repeat-clicker lists, manual intervention queues, template performance) belongs to the security team running campaigns, not to client executives. Building one super-dashboard that tries to serve both produces a dashboard that serves neither.
Per-client custom KPIs that don't roll up. Every custom KPI added for a single client breaks the cross-client roll-up. Resist the temptation; either add the KPI to the standard set for everyone or report it as a narrative observation rather than a dashboard metric.
Storing campaign artifacts outside the platform. Email screenshots, manually-tracked completion lists, separate spreadsheets. Every artifact outside the platform is one that must be rebuilt manually for the next audit cycle. Auto-assigned training with platform-tracked completion is what produces audit-ready evidence without manual stitching.
Not separating the "vCISO view" from the "client admin view." The vCISO needs portfolio-wide tools; the client admin needs client-only tools. Conflating the two creates either over-permissive client access or under-powered vCISO workflows.

Practical alignment to NIST CSF and ISACA

The KPI structure above maps cleanly onto NIST CSF 2.0 PR.AT (Awareness and Training) and DE.CM (Continuous Monitoring) functions, which means the same dashboard you use for client reporting also satisfies the framework-mapping requirements clients increasingly ask for. ISACA's COBIT-derived governance materials similarly treat awareness and training metrics as a continuous control rather than a periodic assessment, which matches the campaign-cohort cadence the dashboard produces.

For clients in the cyber insurance renewal cycle, the same structure satisfies the questions carriers ask with no translation. The 12-month campaign list, the per-campaign click rate, the training completion rate and the multi-channel coverage breakdown are all in the standard packet.

Pricing the vCISO engagement around the dashboard

The dashboard architecture is also a pricing tool. vCISO engagements that include phishing program delivery as a line item tend to under-price the work because the report production effort is invisible until the third or fourth client is on board. A defensible pricing structure that reflects the actual work:

Base subscription: Platform license fees, passed through at cost, scaled by client headcount. Visible and predictable.
Quarterly reporting: Fixed fee per client per quarter. Covers the standard four-page packet, the platform configuration review and the executive read-out call. Constant per-client cost; scales linearly with client count.
Annual deep-dive: Higher fixed fee in Q4 or Q1. Covers year-over-year trend analysis, framework mapping refresh and a strategic program review.
Renewal-cycle support: Variable fee triggered by cyber insurance renewal or audit fieldwork. Covers the carrier-specific or framework-specific evidence packet rebuild and broker-call participation.
Incident-response retainer: Optional retainer for active phishing-related incidents. Distinct from the program fee; the program fee should not absorb incident response.

Pricing the dashboard as a separate quarterly fee rather than rolling it into the platform pass-through makes the work visible to the client and to the vCISO's own time tracking, which is where most fractional engagements quietly leak margin.

The maturity model for vCISO clients

Not every client should run the same program shape. A useful maturity model for vCISO portfolios:

Level 1 - Establish. First-time program. Single quarterly all-hands campaign. Regular-difficulty templates. Auto-assigned training. Goal: produce the first audit and insurance evidence packet.
Level 2 - Cadence. Monthly campaigns rotating across template categories. Departmental cohort reporting. Goal: drive measurable click-rate improvement quarter-over-quarter.
Level 3 - Multi-channel. Add SMS phishing and voice (vishing) campaigns to the rotation. Channel-specific reporting. Goal: produce multi-channel coverage answers for cyber insurance applications.
Level 4 - Targeted. Layer continuous targeted simulation on high-risk roles (finance, executives, IT administrators). Maintain campaign-based all-hands cadence underneath. Goal: drive residual-risk reduction in the cohorts most likely to be attacked.
Level 5 - Integrated. Phishing program integrated with broader awareness curriculum, IR tabletop exercises and red-team engagement scenarios. Goal: full program integration with the rest of the security function.

vCISO clients tend to spend 12-18 months at Level 1 before moving to Level 2; Level 3 typically follows within a year of that. Mapping each client to a maturity level on the dashboard makes the portfolio's trajectory visible in a way that single-client reports don't.

How the platform supports the architecture

Bait & Phish supports per-client tenancy with shared template libraries, consistent native KPI definitions and one-click PDF export of the four-page packet structure above. Pricing scales by seat across the vCISO's client base rather than per-account overhead, which makes the economics work for fractional security leaders running this architecture across portfolios.

If you're building this dashboard for the first time, start a free 25-user trial on a single client, run a campaign through the full reporting cycle and use the resulting packet as your template. If you want to walk through the multi-client deployment specifically, contact us - we work with vCISO firms regularly and can map your client portfolio against the architecture above in a single call.

Related reporting and metrics guides

23dec