We Said/He Said: CISO Talent And Cybersecurity Leader Talent Are Not The Same

Recently we started following Dr Eric Cole on LinkedIn and on his Substack channel. His recent pieces are very good.

One of his posts notes that metrics/numbers are good, but they don't answer the fundamental question Boards care about: are we secure? 

So why do we report things such as patch compliance rates, vulnerability counts, mean time to remediate,  and tool coverage? 

Because they are metrics under our control and they're comfortable and easy to explain. Same in any field -- keep it simple, stupid.

It's a metric, it's not magic.

What Eric says next is, well, magic: "When boards ask oversimplified questions, they get oversimplified answers. Dashboards are built to reassure rather than challenge. Over time, this trains leadership to equate motion with protection."

Let's not laugh too quickly at those dumb ol' Boards asking oversimplified questions though because where do they get the idea that metrics are security?

That's right.

They got the idea from you, or your predecessor because those metrics made sense several years ago. 

And sure, they are meaningful because you need to keep patch compliance up and so on.

But your adversaries have upped their game, and when you focus on what worked before they upped their game means you lose.

Your new game, which Eric alludes to with this post, is to be better at keeping systems secure. Your game is not managing compliance rates.

Metrics are signs and symptoms, they are not security. 

Leaders who adhere to convenient metrics are doomed, while leaders who answer the are we secure question are the way forward. It might be premature to say that divide, metrics v. security, reflects the legacy CISO v. cybersecurity leader approaches but it's not unfair to consider the extents to which it is right.

Where are you on that continuum?

Ask us how we can help you find the right metrics to indicate how secure your systems are.