{"id":15864,"date":"2026-02-25T07:03:03","date_gmt":"2026-02-25T07:03:03","guid":{"rendered":"https:\/\/newestek.com\/?p=15864"},"modified":"2026-02-25T07:03:03","modified_gmt":"2026-02-25T07:03:03","slug":"boards-dont-need-cyber-metrics-they-need-risk-signals","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15864","title":{"rendered":"Boards don\u2019t need cyber metrics \u2014 they need risk signals"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Security teams live in a world of numbers. Dashboards depict counts of blocked attacks, phishing clicks, vulnerabilities discovered, patches applied, alerts triaged, and incidents closed. Over the past decade, the cybersecurity industry has become adept at measuring activity with increasing precision.<\/p>\n

Experts say what remains far less consistent is whether those measurements help boards govern risk. For directors and senior executives, the purpose of security metrics<\/a> reporting is not to catalog effort. It is to understand exposure, trajectory, and consequence.<\/p>\n

Decision-makers want to know whether risk is increasing or decreasing, whether controls are effective, and whether the organization can limit damage when prevention fails. Metrics are therefore useful when they clarify those questions.<\/p>\n

\u201cTime is really the universal metric because everyone can understand time,\u201d Richard Bejtlich<\/a>, strategist and author in residence at Corelight, tells CSO. \u201cHow fast do we detect problems, and how fast do we contain them. Dwell time, containment time. That\u2019s the whole game for me.\u201d<\/p>\n

Organizations cannot prevent every intrusion, Bejtlich argues, but they can measure how quickly they recognize and contain one. That measure translates across technical and nontechnical audiences because it speaks directly to impact. Detection and containment speed function as proxies for business loss avoided.<\/p>\n

Financial exposure vs. operational clarity<\/h2>\n

Mike Hamilton<\/a>, CTO of Pisces International, frames board-level security reporting strictly through a fiduciary lens. In his view, metrics matter only insofar as they map directly to financial consequence.<\/p>\n

\u201cFirst of all, the board only cares about money,\u201d Hamilton tells CSO. \u201cThey don\u2019t care about scary Russian cyber buffer overflow stuff. They care about money.\u201d<\/p>\n

\u201cWhile the CISO may be interested in metrics like mean time to detect, mean time to respond, things like that, boards are charged with protecting enterprise value. Detection speed, vulnerability management, and phishing resilience matter more to them because they limit financial loss, regulatory exposure, and operational disruption,\u201d he says. \u201cWhat they really want to know is how we are lowering the likelihood of those bad outcomes that affect the business.\u201d<\/p>\n

Bejtlich, on the other hand, argues that boards can engage with a wide range of operationally grounded, governance-relevant metrics, including the number of intrusions over a given period. Those figures become meaningful when paired with consequence. \u201cWas it a breach, or was it simply unauthorized access with no consequence?\u201d Bejtlich says.<\/p>\n

\u201cI\u2019ve just never had that experience where I felt like boards couldn\u2019t handle anything that I was trying to describe to them,\u201d he adds. \u201cThe problem becomes one of, if you\u2019re speaking to them in technical terms for which they have no background, that\u2019s not really going to help.\u201d<\/p>\n

The seduction of counting<\/h2>\n

Even when metrics are not too technical and align with business impact, another problem emerges: What gets counted can crowd out what matters.<\/p>\n

Wendy Nather<\/a>, a longtime CISO who is now an advisor at EPSD, cautions against equating measurement with understanding. \u201cWhen you are reporting to the board, there are some things you just cannot count that you have to report anyway,\u201d she tells CSO.<\/p>\n

She points to incidents, near misses, and changes in assumptions as examples. \u201cAnything that changes your assumptions about how you\u2019re managing your security program, you should be bringing those to the board, even if you can\u2019t count them,\u201d Nather says.<\/p>\n

Regular metrics can create a rhythm of predictability, and that predictability could lull board members into a false sense of security. \u201cMetrics are very seductive,\u201d she says. \u201cThey lead us toward things that can be counted, that happen on a regular basis.\u201d The result may be a steady flow of data that obscures structural risk or emerging weaknesses, Nather warns.<\/p>\n

Metrics also influence behavior across the organization. In phishing programs, Nather favors measures that reinforce reporting rather than punish error. \u201cYou want to incentivize the reporting, and you want to praise people for doing it,\u201d Nather says, emphasizing that what boards choose to measure ultimately shapes how the organization behaves.<\/p>\n

George Tsantes<\/a>, partner at business advisory firm Newport, highlights the burden of proving a security program\u2019s effectiveness. \u201cI think it\u2019s shocking when I talk to different boards or different companies and discover how much time they spend proving themselves instead of actually doing things,\u201d he tells CSO.<\/p>\n

This dynamic is especially pronounced in regulated environments, where assurance work consumes resources that might otherwise be directed toward risk reduction. Regulatory scrutiny can also reorder priorities. \u201cRegulators may focus on an item that was 20th on your list, but if they write you up, now it becomes No. 1,\u201d Tsantes says. Boards, he argues, need visibility into those tradeoffs. A mature program reduces the proving burden wherever possible so that security effort is directed toward reducing risk rather than generating documentation.<\/p>\n

How AI is stress testing board-level cyber metrics<\/h2>\n

Despite reshaping many aspects of cybersecurity operations, the rapid adoption of artificial intelligence has not yet produced a distinct set of board-level security metrics. Instead, AI is exposing long-standing weaknesses in how organizations translate security activity into risk signals directors can act on.<\/p>\n

Boards are not yet asking for AI-specific dashboards, experts say. What they are asking, often implicitly, is whether AI is increasing exposure, weakening controls, or altering the organization\u2019s ability to limit damage when things go wrong.<\/p>\n

\u201cI don\u2019t think we have any output-based metrics yet,\u201d says Corelight\u2019s Bejtlich. Before organizations can measure AI risk, he argues, they must first establish basic governance signals: where AI is in use, how widely it is deployed, and whether it is expanding the attack surface or reducing operational burden.<\/p>\n

That visibility gap is already a concern for many security leaders. \u201cWhen I talk to CISOs, their biggest concern is that they can\u2019t always see what AI is being used inside of their enterprise,\u201d says EPSD\u2019s Nather. Without that awareness, boards are left with activity metrics that obscure the more fundamental question of whether the organization understands the risks it has introduced.<\/p>\n

For Bernard Brantley<\/a>, CISO at Corelight, AI does not warrant a new measurement framework so much as stricter discipline around existing ones. \u201cI don\u2019t think that they should differ from your standard metrics,\u201d he tells CSO. In practice, AI amplifies familiar security challenges \u2014 initial access, lateral movement, and data exfiltration \u2014 by increasing their scale and speed.<\/p>\n

That amplification changes what board-level metrics must signal. Expanded AI usage can increase coverage requirements, stretching teams and controls. At the same time, AI-driven automation can compress response timelines.<\/p>\n

\u201cWe were able to reduce MTTR [mean time to remediation] for this portion of our coverage by 60% because we threw an agent at it,\u201d Brantley says. The governance signal for boards is not the presence of AI itself, but how it shifts risk concentration, response capacity, and resource tradeoffs.<\/p>\n

For Newport\u2019s Tsantes, AI oversight is a test of enforcement rather than measurement. \u201cWhat the board needs to know is that there are good uses of AI and bad uses of AI,\u201d he says. But visibility without consequence is not governance. \u201cEven knowing where the AI agents might be within your assets is difficult,\u201d Tsantes adds. \u201cIf you can\u2019t fire somebody for using the wrong AI, then you really don\u2019t have any teeth in that policy.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Security teams live in a world of numbers. Dashboards depict counts of blocked attacks, phishing clicks, vulnerabilities discovered, patches applied, alerts triaged, and incidents closed. Over the past decade, the cybersecurity industry has become adept at measuring activity with increasing precision. Experts say what remains far less consistent is whether those measurements help boards govern risk. For directors and senior executives, the purpose of security… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15864","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15864","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15864"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15864\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15864"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15864"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15864"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}