I have sat in boardrooms where the disconnect is palpable. While cybercrime costs hit $10.5 trillion, only 8% of directors view security as a strategic threat. I see leaders drowning in technical jargon, missing the vital business risks.
The reality is that only half of boards feel confident in their security posture. Even worse, just 34% of boards have defined their cyber risk appetite. And the reason behind it is that we are focusing on volume rather than impact, leading to a clueless security posture.
It’s time to change the metric for determining security from “How many vulnerabilities” to “how exposed the business really is”. In my experience, that single shift changes the entire boardroom conversation. It moves security discussions from technical reporting to real business risk.
Why I See Volume-Based Metrics Failing Security Boards
I have sat through countless boardroom presentations where the primary focus was on huge numbers. The technical team often shows millions of blocked pings or thousands of stopped attacks to create what I call a “wow factor”. While these numbers look impressive, I’ve seen them fail to provide any real strategic value. These data points are mostly trailing indicators of operational results. They don’t actually tell the board if we are protected against a real, sophisticated threat.
I’ve noticed that flooding a board with volume-based data leads directly to security fatigue. When there is too much noise, stakeholders eventually stop seeing the actual red flags that require their attention. I believe this happens because of a massive mismatch in our current dialogue. We are giving leaders technical jargon and volume metrics when they actually need information aligned to our business drivers.
Most board members are not cyber experts. They want to know if our applications are safe, not how many times a firewall functioned correctly. When we focus on volume, we force the board into a reactive state where they feel apprehensive about the quality of their governance. This confusion often leads to poor investment decisions based on the wrong priorities.
I am now pushing for a move toward outcome-driven metrics instead. We need reporting that is consistent, adequate, and effective for the business. My goal is to stop measuring “how much” we are doing and start measuring “how well” our critical assets are protected. In my experience, security only becomes a strategic advantage when it is treated as a business investment rather than just a technical necessity.
Why Exploitability Should Be the Metric That Matters
From what I have seen in real security discussions, the biggest gap is not finding vulnerabilities. It is understanding which ones can actually be used in an attack. That is why I believe exploitability needs to become the metric boards pay attention to.
Exploitability connects security findings to real-world risk
When I look at vulnerabilities through the lens of exploitability, the conversation changes. Instead of counting issues, I focus on which ones an attacker could realistically use to gain access or move deeper into systems.
It helps prioritize what truly needs attention
Not every vulnerability carries the same level of danger. When exploitability becomes the focus, I can clearly see which issues deserve immediate action and which ones are unlikely to pose meaningful risk.
Boards understand risk better than technical metrics
In my experience, boards do not need more technical numbers. They need clarity about exposure. Exploitability gives them a clearer picture of whether the organization is facing a real threat or a theoretical issue.
Shifts reporting from activity to impact
Many security reports highlight how much work the team completed. Exploitability changes that perspective. Instead of showing how busy we are, it shows whether our work is reducing the organization’s real attack surface.
Reflects how modern attacks actually happen
Attackers rarely rely on a single vulnerability. They look for weaknesses they can exploit and combine. Focusing on exploitability helps reveal the paths attackers are most likely to use in practice.
My Take on Why Boards Struggle with the Speed of Modern Risk
The biggest challenge in security today is speed. Modern risks appear and evolve faster than most security processes can respond. That gap is where real exposure begins.
One thing I have seen repeatedly is that modern environments move much faster than traditional security cycles. Applications are deployed daily. APIs change constantly. Cloud infrastructure scales in minutes. But many security programs still operate on periodic testing and manual review.
This creates a timing problem.
- Development moves faster than security validation: I often see teams releasing new features weekly or even daily. Security testing, however, still happens quarterly or during scheduled assessments. By the time results arrive, the environment has already changed.
- New attack paths appear as systems evolve: Modern applications are highly connected. A small change in an API, authentication flow, or business logic can create new exploit paths. These risks often appear between testing cycles.
- Security teams are forced to prioritize constantly: Most teams deal with hundreds of alerts, vulnerabilities, and security findings. With limited time and resources, it becomes difficult to determine which issues truly matter right now.
Because of this, risk is no longer static. It moves with the pace of development and infrastructure changes. If security programs cannot match that speed, visibility alone will not reduce exposure. That is why I believe modern security discussions should focus more on how quickly we identify and validate real threats, not just how many vulnerabilities we discover over time.
The Real Security Questions Boards Should Ask CISOs
In my experience, boards are not asking the wrong questions intentionally. Most of the time, they simply rely on the metrics they are given. But when the conversation shifts to risk, the questions also need to change.
I have found that the most useful board discussions happen when the focus moves away from activity and toward exposure. Instead of asking how much work was done, boards should ask questions that reveal whether the organization is truly protected.
Some of the questions I believe boards should ask include:
- Which vulnerabilities in our environment could actually be exploited today?
- What attack paths could realistically lead to a major breach?
- How quickly can we detect and validate real security threats?
- Where do we currently have the highest exposure to real-world attacks?
- Are we measuring security activity or actual risk reduction?
- How confident are we that our critical systems are protected from exploitation?
When these kinds of questions come up, the conversation becomes much more meaningful. Instead of reviewing technical reports, boards begin to understand the organization’s real security posture. It allows CISOs to talk about risk in a language that leadership understands. And it helps boards make decisions based on actual exposure, not just security metrics.
Moving From Technical Checklists to Strategic Reporting
For years, I have seen security reporting revolve around technical checklists. Vulnerability counts, scan coverage, and patch numbers dominate the conversation. But these metrics rarely explain real exposure. Boards need reporting that clearly shows how security issues translate into business risk.
In my experience, the moment reporting focuses on exploitability and real attack paths, the actual security is exposed. Security stops being a technical update and becomes a strategic discussion. Boards begin to understand where the organization is truly exposed.
Moving forward, security reporting must evolve beyond activity metrics. I believe boards should see clear insights about risk, exposure, and potential impact. When reporting reflects real-world threats, it helps leadership make smarter decisions and strengthens security at core level.
About the Author
Dharmesh Acharya is the Co-Founder of the ZeroThreat Inc. H he helps lead the development of an AI-powered automated penetration testing platform designed to secure modern web applications and APIs. His work focuses on advancing intelligent security testing that enables organizations to detect vulnerabilities faster, reduce false positives, and integrate security seamlessly into modern DevSecOps workflows. With over 25 years of experience, strong technical expertise and strategic leadership, Dharmesh has guided ZeroThreat’s rapid adoption across enterprises, advancing the mission to embed security seamlessly into development workflows. He actively shares insights on modern security practices, including shift-left testing and zero-trust architecture.
Dharmesh can be reached online at [email protected] and at our company website https://zerothreat.ai/
