Executives Don't Care About Vanity Metrics

Here are the key takeaways from this blog:

• Stop Reporting Vanity Metrics: Metrics like “number of spam emails blocked” may feel useful but offer no actionable insight for executives or Boards—and only dilute your credibility.
• Focus on Decision-Ready Insights: Report on metrics that drive decisions, like risk ratings that exceed tolerance, the reason behind changes, and recommended next steps.
• Speak the Board’s Language: Framing cybersecurity in terms of business impact earns trust, improves alignment, and increases your chances of securing budget and support.
• Better Reports = Better Relationships: A well-crafted, business-friendly cybersecurity report not only helps Boards make informed decisions—it elevates your role as a strategic partner.
  
  

Effective Board Reporting

Learn how to properly report to the board using our template below!

What is the best way to improve your relationship with executives and the Board?

The quickest and easiest way to improve your relationship with executives is to stop reporting vanity metrics!

A great example of a vanity metric is something like number of spam emails blocked by some device or cloud solution. Admittedly, back in the mid to late 2000s, I too reported this metric. I did it because my predecessor had done it. 

As the cybersecurity manager, I looked at the number of blocked spam emails regularly because it was potentially an indicator of a) the solution was still working as planned, or b) the number increased dramatically, and the organization was being targeted. 

But the spam messages metric is not helpful to executives because the metric has no bearing on any decisions they have to make. No usefulness. The metric only takes up space in their mind, which is already full of massive amounts of information. 

What, then, should be reported?

Metrics and measures that provide context for decision making. 

For example, if the latest update to the risk assessment — because you’re hopefully doing real-time risk updates — shows a system move outside of the organizations risk tolerance, a decision needs to be made regarding how to deal with the risk.

So the report would include the risk rating, the reason for the rating change, and a recommendation on managing the risk.

Providing the right information to facilitate an executive decision will show you understand the Board’s needs and respect their business-oriented perspective. They will appreciate you making their job easier.

You will be more respected as a partner to the business and, consequently, get more of the budget you need to successfully operate a solid cybersecurity program.

Rethink your cybersecurity report by putting yourself in a business person’s shoes. Perhaps I have a slight advantage over some CISOs because I happen to own a business and have to balance both hats (cybersecurity and business) on my head most days. But several years ago, I was tired of the reports we as an industry typically generated. I threw out our existing “Board Report” we delivered clients, and started from scratch with the business owners in mind.

The results have been incredible. Clients love the information in the report. Boards love the business-friendly format. Auditors love the breadth and impact of items covered. 

Get your free template here and good luck!

Effective Board Reporting

Learn how to properly report to the board using our template below!