1 min read

Executives Don't Care About Vanity Metrics

Executives Don't Care About Vanity Metrics

What is the best way to improve your relationship with executives and the Board?

The quickest and easiest way to improve your relationship with executives is to stop reporting vanity metrics!

A great example of a vanity metric is something like number of spam emails blocked by some device or cloud solution. Admittedly, back in the mid to late 2000s, I too reported this metric. I did it because my predecessor had done it. 

As the cybersecurity manager, I looked at the number of blocked spam emails regularly because it was potentially an indicator of a) the solution was still working as planned, or b) the number increased dramatically, and the organization was being targeted. 

But the spam messages metric is not helpful to executives because the metric has no bearing on any decisions they have to make. No usefulness. The metric only takes up space in their mind, which is already full of massive amounts of information. 

vanity metrics report

What, then, should be reported?

Metrics and measures that provide context for decision making. 

For example, if the latest update to the risk assessment — because you’re hopefully doing real-time risk updates — shows a system move outside of the organizations risk tolerance, a decision needs to be made regarding how to deal with the risk.

So the report would include the risk rating, the reason for the rating change, and a recommendation on managing the risk.

Providing the right information to facilitate an executive decision will show you understand the Board’s needs and respect their business-oriented perspective. They will appreciate you making their job easier.

You will be more respected as a partner to the business and, consequently, get more of the budget you need to successfully operate a solid cybersecurity program.

Rethink your cybersecurity report by putting yourself in a business person’s shoes. Perhaps I have a slight advantage over some CISOs because I happen to own a business and have to balance both hats (cybersecurity and business) on my head most days. But several years ago, I was tired of the reports we as an industry typically generated. I threw out our existing “Board Report” we delivered clients, and started from scratch with the business owners in mind.

The results have been incredible. Clients love the information in the report. Boards love the business-friendly format. Auditors love the breadth and impact of items covered. 

Get your free template here and good luck!

NIST CSF 2.0: Breakdown and Key Updates for Financial Institutions

NIST CSF 2.0: Breakdown and Key Updates for Financial Institutions

Originally launched in 2014 and updated in 2018. NIST CSF 2.0 (released in February 2024) builds on ten years of cybersecurity progress. It expands...

Read More
Unlocking Budget With Quantitative Risk Assessments

Unlocking Budget With Quantitative Risk Assessments

Year after year, the responsibilities of security leaders seem to grow. They must develop and implement security policies, train their organization...

Read More
ASSESSING CYBER INSURANCE FOR BANKS AND CREDIT UNIONS

ASSESSING CYBER INSURANCE FOR BANKS AND CREDIT UNIONS

Cyber insurance can't fully shield your organization from cybercrime, but it can help keep your business operations going if there's a major security...

Read More