top of page

Cyber at Board Level: Why most organisations measure activity rather than risk.

  • i-confidentialsite
  • Jun 12
  • 3 min read

An article by Brian Boyd, Principal Consultant

A diverse team engaged in a boardroom meeting, attentively analysing graphs and metrics presented on a screen.
A diverse team engaged in a boardroom meeting, attentively analysing graphs and metrics presented on a screen.

Most boards believe they have a reasonable understanding of cyber risk because the reporting they receive looks structured, measurable and reassuring. Dashboards show patching performance, phishing results, vulnerability trends and maturity scores, all presented in a way that feels objective and controlled.


The challenge is that most of those measures were never designed to explain business risk. They evolved from operational IT reporting, where the focus was naturally on whether systems and controls were functioning as expected. Over time, organisations became very good at measuring cyber activity, without necessarily improving their understanding of what happens to the business when those controls fail.


That’s understandable when you look at where cyber reporting came from. Like looking at an engine, you can see whether everything is running, but not necessarily what happens when it fails under pressure. Once reporting is built around what is easiest to count, patching levels, vulnerabilities, phishing results, those measures naturally start to shape the conversation.


Worse, once those measures are pulled together into dashboards and RAG status, they create a sense of control. A board sees green and assumes the organisation is protected. In most cases, those indicators simply confirm that processes are operating as expected, not that the business would hold up where it matters most.


The result is that organisations often know far more about whether controls are operating than they do about what happens when those controls fail. The practical business questions are almost always missing. Which services are genuinely exposed? How quickly would an issue be detected? How well could the organisation actually respond? What does the financial or operational impact look like when something goes wrong? Those questions rarely appear in the pack.

You see it in the way cyber posture is described. “We are at maturity level 3.2, moving to 3.5” or “we’re hitting our patching targets”. Those measures may indicate progress, but they still don’t answer the question boards actually need answered, what happens to the business when controls don’t hold under pressure.

What’s interesting is that this gap has persisted despite significant investment in cyber maturity.


Organisations have spent years building capability, implementing frameworks and improving controls, often assuming that would naturally lead to better understanding. But maturity models measure how well practices have been implemented, not how the business holds up when those practices are tested under pressure. You can be “mature” and still take a hit in exactly the areas that matter most.


There's also a structural element to consider. In many organisations, cyber is managed in silos. Security does its job, IT does its job, risk does its job, but nobody is assembling those pieces into a view of what the business actually stands to lose.


At its core, this isn’t really a tooling issue or even a reporting issue. It’s a translation issue.


Cyber teams are working in technical terms because that’s what they can evidence. Leadership is making decisions in business terms. Reporting sits in the middle and often simplifies things into dashboards that don’t quite connect the two.


Until that translation improves, this gap will keep showing up. Organisations will continue to produce large amounts of data, but boards will still be left without a clear view of where the real risk sits and what decisions they need to make about it.


We'll publish part 2 in this series soon!

 
 
bottom of page