Cyber Sessions: Focus on wrong metrics can lead executives astray

To read this article and get more critically important news and information, check out our other security-focused posts  and subscribe to Providence Business News on their website, www.pbn.com

In my career, I’ve witnessed technology and cybersecurity leaders presenting quarterly reports to their boards, and, for me, it’s the silence that comes after these presentations that is terrifying.

It’s the silence of confusion.

Cyber risk leaders come armed with complex charts, provide details of “blocking millions of packets,” and “vulnerability scan coverage,” and “thousands of phishing emails blocked.”  Board members listen, nod and maybe ask the one question that never gets answered: “So, are we secure? And if we’re not, how much is this going to cost us?”

The routine of reporting technical metrics to the governance body responsible for fiduciary oversight and risk management is a dangerous holdover of the past. The language of the board is not bits and bytes, it’s dollars and disruption.

That’s why we must pivot to risk-informed reporting that aligns with the board’s fiduciary duties. This shift is not a “should,” it’s a “shall.” This is a mandatory move toward mature cyber risk management, driven by relentless cyber threats, glaring client demands and increasing legal and regulatory pressures.

For decades, security teams were incentivized to justify their existence by counting activities such as the number of phishing emails filtered and system patches deployed. While important tasks, they tell what the security team did but don’t articulate what risks have been mitigated or risks the organization is exposed to.

Today’s digitally dependent business requires metrics that are clear, value-driven and actionable for executives. The goal is to provide them with the quantified insights needed to allocate capital and direct risk strategy.

If a cybersecurity leader cannot translate a risk into a dollar amount, they are not speaking the board’s language.

The most important conversation we can have with the board centers on quantifiable financial exposure. This presents cyber risk in terms of expected loss for specific scenarios, such as a ransomware attack. Instead of reporting in terms of the number of critical vulnerabilities, leaders should report on the financial exposure.

Answer questions such as: Is the cost of mitigation justified by the reduction in risk? Does any remaining exposure align with the company’s risk appetite?

In cybersecurity, time is not just money. The speed at which an organization can detect, contain and recover from an incident determines the length of business disruption. The board doesn’t need to know the number of malware alerts. It needs to know the resilience of the business processes and support systems. And how quickly the company can successfully recover. Recent analysis shows that organizations with shorter security incident lifecycles realize significant cost improvements.

Another blind spot: supply-chain risk. Board members recognize that they are liable for the failures of their partners, providers and vendors. Cyber insurance data confirms that 40% of breach claims involve a third party. Vendor risk assessments provide a clear picture of security health across the supply chain. Start with the top five mission-critical vendors and see if their scores align with the risk appetite of the business. Then, continue to assess the supply chain from there. For vendors that fail to meet a company’s needs, work to actively remove the risks through contract changes and mandatory control implementation.

Finally, the board needs assurance that the cybersecurity program is structured, comprehensive and follows established governance. The most effective metric here is framework alignment. Nearly 73% of companies now disclose alignment with an external framework, which is a significant jump from prior years. It allows the board to assess maturity and provide a roadmap that connects security investments to compliance and industry best practices.

The shift is clear that we must move the boardroom conversation away from the tactical and toward the strategic. By adopting risk-informed metrics, we enable our boards to exercise informed management, align risk management with strategic growth, and ultimately strengthen trust.