COMMENTARY: Cybersecurity has become an increasingly strategic imperative, but the ways we quantify, qualify, and report on risk have been slow to evolve.Some of the most common metrics we see in security reports are how many vulnerabilities we discovered and patched, and how fast we responded. I call these vanity metrics: numbers that look impressive in reports, but lack real-world impact. I’ve seen firsthand how this disconnect between measurement and meaning can leave organizations exposed.[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Vanity metrics are numbers that look good in a report, but offer little strategic value. They’re easy to track, simple to present, and are often used to demonstrate activity, but they don’t usually reflect actual risk reduction. They typically fall into three main types:
Volume metrics – Patches applied, vulnerabilities discovered, and scans completed.
Time-based metrics without risk context – Metrics like Mean Time to Detect (MTTD) or Mean Time to Remediate (MTTR) sound impressive. But without prioritization based on criticality, speed represents just the “how” and not the “what.”
Coverage metrics – Percentages like “95% of assets scanned” or “90% of vulnerabilities patched” give an illusion of control.
Vanity metrics aren’t inherently wrong, but they’re dangerously incomplete. I’ve seen organizations burn through time and budget chasing numbers that looked great in executive briefings and breaches occur in environments full of glowing KPIs. The reason? Those KPIs weren’t tied to reality. A metric that doesn’t reflect actual business risk isn’t just meaningless – it’s dangerous.Move to meaningful metrics If vanity metrics tell us what’s been done, meaningful metrics tell us what matters. They shift the focus from activity to impact – giving security teams and business leaders a shared understanding of actual risk. A meaningful metric starts with a clear formula: risk = likelihood × impact. It doesn’t just ask “What vulnerabilities exist?” it asks: “Which of these can attackers exploit to reach our most critical assets, and what are the consequences of an attack?” Make the shift to meaningful metrics by anchoring reporting around these five metrics:
Risk score (tied to business impact): A meaningful risk score weighs exploitability, asset criticality, and potential impact. It should evolve dynamically as exposures change or as threat intelligence shifts. This score helps leadership understand security in business terms, not how many vulnerabilities exist, but how close we are to a meaningful breach.
Critical asset exposure (tracked over time): Not all assets are equal. We need to know which of our business-critical systems are exposed – and how that exposure has been trending. Are we reducing risk to our most important infrastructure, or just spinning cycles on low-impact fixes? Tracking this over time shows whether the security program actually closes the right gaps.
Attack path mapping: Vulnerabilities don’t exist in isolation. Attackers chain together exposures: misconfigurations, overprivileged identities, unpatched CVEs – to reach high-value targets. Mapping these paths shows us how an attacker could actually move through an environment. It helps prioritize individual issues, and how they work together to form a threat.
Exposure class breakdown: We need to understand what types of exposures are most prevalent – and most dangerous. Whether it’s credential misuse, missing patches, open ports, or cloud misconfigurations, this breakdown informs both tactical response and strategic planning. If 60% of risk stems from identity-based exposures, for example, that should shape the company’s investment decisions.
Mean Time to Remediate (MTTR) for critical exposures: Average MTTR doesn’t really tell us much. It gets dragged down by easy fixes and ignores the tough problems. What matters is how fast we’re closing the exposures that actually puts the organization at risk. MTTR for critical exposures: those tied to exploitable attack paths or crown-jewel assets – really defines operational effectiveness.
Taken together and continuously updated, meaningful metrics give us more than a snapshot – they offer a living, contextual view of our threat exposure. They elevate security reporting from task tracking to strategic insight. And most important, they give both security teams and business leaders a common language for making risk-informed decisions.The metrics we choose shape the conversations we have – and the ones we miss. Vanity metrics keep everyone comfortable. Meaningful metrics force harder questions, but they get us closer to the truth.Bottom line: we can’t reduce risk if we’re not measuring it properly.So let’s start measuring it properly.Jason Fruge, CISO in Residence, XM CyberSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
0 Comments